Re: HELP: I've been hacked!

Mon, 15 Jan 2001 09:44:25 -0800 

At 06:16 PM 1/15/2001 +0100, you wrote:
>Hello,
>
>I'm suffering an attack: at 09:42 of January 15th all the "index.html" files
>in my server had been changed to a html page that says "Hackers love
>noodles"!!!

As my friend says:
        "You will back up. It might be before you lose all your files, it might be 
after, but one day you WILL back your files up"

I hope you're one of the few that backed up /before/

>I am trying to get from where this was done but I'm kind of lost... any help
>would be appreciated!!!

1. Check your log files. I must say though - if they got in, they probably cleaned up 
your log files already.

2. You have more problems then you know - you've got to find out how they got in. 
You're also going to have to reinstall from your Install CDs, because they've probably 
left a back door that may not be easy to find. Simply patching the original hole they 
came in through isn't good enough.

If you have enough disk or tape space you might consider making an exact bit-for-bit 
copy of your drive with dd and saving it for review later. That way, once you get your 
server back online, you can closely examine the compromised system and try to see what 
they did. If you do that make an md5sum of the image.

Oh, one more thing: GET THAT SERVER OFF THE NET until you're done reinstalling. I mean 
it - you're a danger for yourself and others as long as you're online and compromised. 
Why? Because you're not in control of your system - the cracker is.

Best wishes for speedy recovery.

Oh, you might want to run netstat before you shut the server down and see what sockets 
are open.

>Thanks,
>Tomás
>
>Tomas Garcia Ferrari
>
>Bigital
>http://bigital.com
>
>
>
>_______________________________________________
>Redhat-list mailing list
>[EMAIL PROTECTED]
>https://listman.redhat.com/mailman/listinfo/redhat-list 

----------------------------------------------------
Jonathan Wilson
System Administrator

Cedar Creek Software
http://www.cedarcreeksoftware.com

Central Texas IT
http://www.centraltexasit.com



_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list

Reply via email to