08Jun2009 (UTC +8) They all got good suggestions here. Do activate your company's Incident Response Plan.
If you don't have one, and this is an ad hoc response, please *document* your every action before you start proceeding any further. Trust me, when a company does a post-mortem analysis later, sys admins get a lot of heat if upper management thinks they didn't respond well enough. Normally, I too would suggest that you go with Fooler's option #2 below, as it's exciting. You'd want to know who, what, where, when, why and how. Fooler's option #2 is great *if* you know what you want, how you're going to do it, if your systems have layers of defense, if you're certain that backups have not yet been compromised, and if you're confident enough to do it. If you decide to let the suspected machine to be online for a while, so you can observe anything that's happening, get a BackTrack CD, boot it from another machine, run "nmap -v -v -p0-65537 -sS -A --reason -oA CentOS-TCP-scan-date CentOS-server" and "nmap -v -v -p0-65537 -sU -A --reason -oA CentOS-UDP-scan-date CentOS-server". That may give you more answers than your basic nmap scan. Run on the same observation machine that's on the same hub as the suspect machine, "tcpdump -v -v -s 0 -i eth0" and see what's going on. Be prepared to analyze GB's of *.cap files, and note that Wireshark chokes on large files. You'll figure out what to do next based on your observations. If you decide to go with Fooler's option #1 however, at least document everything as well, and dd the hard disk of the suspect machine so you can have a hard disk image to examine later, before you re-install everything in that CentOS machine. On Mon, Jun 8, 2009 at 10:54, fooler mail<[email protected]> wrote: > On Mon, Jun 8, 2009 at 10:25 AM, Iris Lames<[email protected]> wrote: >> >> If my ftp problem does not bind to any service, I feel relieved. But then >> again, the question is "what caused my ftp to be open?". I'm now wondering >> if this is bug from Centos. > > it is not a bug.. your system was hacked.. you cannot use any > applications (eg. netstat, lsof, etc) in your system as the hacker > already modified those... > > the port 21 is the hacker remote backdoor going to your system... > > you have two options.. > > 1. reinstall your entire system without catching the hacker > 2. stay as is at the moment and catch the hacker... > > for number 2... there are lots of ways to catch the source ip address > of this hacker.. but dont do this inside your hacked system... if you > want option number 2... just let us know.. Drexx Laggui -- CISA, CISSP, CFE Associate, ISO27001 LA, CCSI, CSA http://www.laggui.com ( Singapore / Manila / California ) Computer forensics; Penetration testing; QMS & ISMS developers; K-Transfer PGP fingerprint = 6E62 A089 E3EA 1B93 BFB4 8363 FFEC 3976 FF31 8A4E _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List http://lists.linux.org.ph/mailman/listinfo/plug Searchable Archives: http://archives.free.net.ph
