[lug] shared server hacked

Simos blug at chinesetearoom.com
Wed Mar 2 21:51:02 MST 2011


On Wednesday 02 March 2011 09:39:06 pm Kenneth D. Weinert wrote:
> On 03/02/2011 09:33 PM, Stephen Kraus wrote:
> > Do you mean the other end of the lin as in whoever was watching the server?
> 
> No, sorry - the other file(s) that are linked to the file I want to get
> rid of.

Ken,

I assume you are talking about a hard link, which means it's going to be in the
same filesystem as the original file. Both files will have the same inode and you
can use find to track it down, for example:

$ touch newfile

$ ls -li newfile
971253 -rw-r--r-- 1 simos simos 0 2011-03-02 21:47 newfile

$ ln newfile newlink

$ ls -li newfile newlink
971253 -rw-r--r-- 2 simos simos 0 2011-03-02 21:47 newfile
971253 -rw-r--r-- 2 simos simos 0 2011-03-02 21:47 newlink

$ find /home -inum 971253
/home/simos/newlink
/home/simos/newfile

Replace /home with the root of the filesystem that the original file is in.

> All the added files are owned by the account owner which indicates to me
> that the hosting company had a root exploit. Good conclusion?

Either that or someone got access to your login credentials. Seems pretty
targeted to me.

Regards,

Simos



More information about the LUG mailing list