http://security.stackexchange.com/questions/10202/perl-script-rootkit
here it is, all the details. please check out On Thu, Dec 29, 2011 at 7:31 PM, Kees de Jong <[email protected]> wrote: > If you are absolutely sure that they gained root access then there is no > other alternative then to kill the internet on those machines. > And then you should back up all the data you want to preserve so that you > can reinstall those machines safely. There is no telling if they installed > another SSH server or other nasty things like rootkits. > Most attackers install their own SSH server so that any changes your make to > patch your security holes aren't putting them out of business. > Unless you have aide installed and made regular checksums of all the files > and configs then you have no idea if anything is changed since the attack. > You can also try rkhunter and chkrootkit to find any rootkits on your > system, but they aren't conclusive. > > The only way to be sure that you are in the clear is a total new start on > all the affected machines. > > > PS: We all got it now, fail2ban is a great tool ;-) > > > > > On Thu, Dec 29, 2011 at 15:04, Taz <[email protected]> wrote: >> >> Hello, we've got various debian servers, about 15, with different >> versions. All of them have been attacked today and granted root >> access. >> Can anybody help? We can give ssh access to attacked machine, it seems >> to be serious ssh vulnerability. >> >> How can i contact openssh mnt? >> >> Thank you. >> >> >> -- >> To UNSUBSCRIBE, email to [email protected] >> with a subject of "unsubscribe". Trouble? Contact >> [email protected] >> Archive: >> http://lists.debian.org/CA+0W4N=at0esj+y3d8drzw8u+s6tcr6bcuha+w+u5rl-80v...@mail.gmail.com >> > > > > -- > Met vriendelijke groet, > Kees de Jong > > > De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is > uitsluitend bestemd voor de geadresseerde(n). > Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te > gebruiken en de afzender direct te informeren door het bericht te > retourneren. > -- > The information contained in this message may be confidential and is > intended to be exclusively for the addressee(s). > Should you receive this message unintentionally, please do not use the > contents herein and notify the sender immediately by return e-mail. > -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/CA+0W4NkGtAZxBD4=5yop-3funtb7bfnwyxxsvtgb8cybbww...@mail.gmail.com
