[lug] Signs of hacking (was ARRG! Change One Little Thing And... HACKED?
Bamm Visscher
bamm.visscher at gmail.com
Tue Aug 16 11:22:25 MDT 2005
This is the part where you say "Dang, I wish I'd been doing some
network security monitoring." ;)
How you proceed depends on how confident you are with host based
forensics. Doesn't sound like you are to comfortable with it, and thus
a rebuild may be in your future. Don't feel bad, even the best
forensic guys out there won't give you a "100% gaurantee" that your
system is clean after such a compromise.
Bammkkkk
On 8/16/05, Bill Thoen <bthoen at gisnet.com> wrote:
> Damme and Blast! I think you've put your finger on it! I am running RH 9
> and PHP and see that there's a new directory created on Jul 30 (when the
> odd process started) and here's what's in it:
>
> [root at gisnet tmp]# ls -al
> total 12
> drwxrwxrwt 3 root root 4096 Jul 30 23:03 .
> drwxr-xr-x 21 root root 4096 Oct 6 2004 ..
> drwxr-xr-x 7 apache apache 4096 Aug 10 23:11 ...
>
> I'm sure that any file named "..." and owned by apache is bad news.
>
> Now what do I do? I hope it isn't "rebuild from the ground up" time. Can I
> defuse this process some how?
>
>
>
--
sguil - The Analyst Console for NSM
http://sguil.sf.net
More information about the LUG
mailing list