[Sussex] Hacked server
John Crowhurst
fyremoon at fyremoon.net
Thu Jan 25 16:42:42 UTC 2007
On Thu, January 25, 2007 11:30, Jacqui Caren wrote:
> Brendan Whelan wrote:
>> David,
>>
>> Thanks for the response - I switch from the default admin user to root
>> and I could then create directories, etc.
>> I have managed to export the databases and pull them down to my PC.
>> Using SCP is a good idea - I will transfer key files temporarily to
>> another server.
>
> also have a look in .bashrc et.al - they may have put a trigger in there
> to let them know who else logs in - this often gives you a trackback to
> other compromised systems or if they are really stupid thier
> home or uni systems. Hopefully you can use this to have thier ISP
> account revoked or if a uni that has decent sysadmins (not all do) get
> them kicked out.
If the sshd has been compromised, any passwords used in the scp process
will have been stored as plaintext on your server, so you will need to
change every password just to be safe.
Do not trust any of the binaries on the server as they could easily have
been compromised (such as init, sh, ps, ls, df, etc.)
A rootkit kiddie wouldn't bother changing .bashrc for a trigger, they'd
embed it into the rooted binaries.
--
John
More information about the Sussex
mailing list