Dont want to scare you but keep in mind that you now exported sites from a hacked machine
It is possible that the backdoorscript was installed on a site so them the script is now installed on the new machine (it happend to me once) So have a very close look at all your sites on this server Sort on install dates etc to see if something strange is there If you can access the logs of the old machine then thats the best place to start Look at the apache and ftp logs to begin Good luck Steffan Van: [email protected] [mailto:[email protected]] Namens Peter Robbins Verzonden: zondag 12 december 2010 20:44 Aan: BlueOnyx General Mailing List Onderwerp: [BlueOnyx:06091] Re: cant run any commands on one of our BlueOnyxboxes Yes you are both right. I have just finished the imports To the new vm machine One should never under estimate the ingenuity of hackers and script kiddies I speak from experience. We couldn't leave the machine as it was, in a perceived compromised position. So in has been cmuExport'ed I will look through the logs see If I can see a problem and then delete the original vm machine. Thanks to all for your help! Sent from my iPhone On 12 Dec 2010, at 19:03, "Chuck Tetlow" <[email protected]> wrote: I completely agree with Chris - the backdoor that was used to gain access in the first place may still be there. Plus, any rootkits installed are still there. THAT is a dangerous situation. I'd recommend keeping that box off-line while you do cmuExports of all sites. Build a new box and cumImport them all into that new box. Before you import - make sure that the new box is fully up-to-date to minimize vulnerabilities. And after importing everything/getting it working - make a complete box backup before putting it back on line. That way, you've got a emergency restore in case it happens again. After all - the vulnerability/exploit may have been in something in one of those sites. And as soon as you put it back on line - this could happen again. I'd wait till after I got the box and sites back up - but you need to carefully check the logs to see if you can spot how this happened. If not - you're just putting that rebuilt box out there and crossing your fingers that it doesn't happen again. Chuck ---------- Original Message ----------- From: Chris Gebhardt - VIRTBIZ Internet <[email protected]> To: BlueOnyx General Mailing List <[email protected]> Sent: Sun, 12 Dec 2010 12:48:10 -0600 Subject: [BlueOnyx:06089] Re: cant run any commands on one of our BlueOnyxboxes > Peter Robbins - Bridgewater Software Group wrote: > > Not bad for 16 hours continuous work all through the night and next > > day. Iam off to bed now. > > So if I understand correctly, you loaded in a new /lib and /usr/lib onto > the broken box (or virtual, as the case may be), then put it right back > to work? > > If I haven't missed something that sounds fairly dangerous, especially > if you've not located what caused the issue in the first place. I hope > you're not in for another round of this. > > -- > Chris Gebhardt > VIRTBIZ Internet Services > Access, Web Hosting, Colocation, Dedicated > www.virtbiz.com | toll-free (866) 4 VIRTBIZ > _______________________________________________ > Blueonyx mailing list > [email protected] > http://www.blueonyx.it/mailman/listinfo/blueonyx ------- End of Original Message ------- _______________________________________________ Blueonyx mailing list [email protected] http://www.blueonyx.it/mailman/listinfo/blueonyx
_______________________________________________ Blueonyx mailing list [email protected] http://www.blueonyx.it/mailman/listinfo/blueonyx
