Hello,
> I hope you're one of the few that backed up /before/
Fortunately, is a server with only a few things running. So it wouldn't be
very difficult to restore it (and no, I'm not in the lucky "backed up
/before/" group...)
> 1. Check your log files. I must say though - if they got in, they probably
> cleaned up your log files already.
The problem started like this: the server got frozen (grow_inodes: inode-max
limit reached) and when it was rebooted the /var/log/messages file was not
there...
Then, the server started to crashed almost everyday with the same message...
When I change the inode-max number, the crack worked and all the
"index.html" files were changed!
> 2. You have more problems then you know - you've got to find out how they got
> in. You're also going to have to reinstall from your Install CDs, because
> they've probably left a back door that may not be easy to find. Simply
> patching the original hole they came in through isn't good enough.
I am on that proccess...
> If you have enough disk or tape space you might consider making an exact
> bit-for-bit copy of your drive with dd and saving it for review later. That
> way, once you get your server back online, you can closely examine the
> compromised system and try to see what they did. If you do that make an md5sum
> of the image.
I don't have this possibility... I am satisfied if this doesn't happen
again!
> Oh, one more thing: GET THAT SERVER OFF THE NET until you're done
> reinstalling. I mean it - you're a danger for yourself and others as long as
> you're online and compromised. Why? Because you're not in control of your
> system - the cracker is.
>
> Best wishes for speedy recovery.
>
> Oh, you might want to run netstat before you shut the server down and see what
> sockets are open.
Thanks for all the advices.
Regards,
Tomás
Tomas Garcia Ferrari
Bigital
http://bigital.com
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
