[Sussex] Hacked server
Nico Kadel-Garcia
nkadel at gmail.com
Fri Jan 26 12:28:34 UTC 2007
John Crowhurst wrote:
> On Thu, January 25, 2007 11:30, Jacqui Caren wrote:
>
>> Brendan Whelan wrote:
>>
>>> David,
>>>
>>> Thanks for the response - I switch from the default admin user to root
>>> and I could then create directories, etc.
>>> I have managed to export the databases and pull them down to my PC.
>>> Using SCP is a good idea - I will transfer key files temporarily to
>>> another server.
>>>
>> also have a look in .bashrc et.al - they may have put a trigger in there
>> to let them know who else logs in - this often gives you a trackback to
>> other compromised systems or if they are really stupid thier
>> home or uni systems. Hopefully you can use this to have thier ISP
>> account revoked or if a uni that has decent sysadmins (not all do) get
>> them kicked out.
>>
>
> If the sshd has been compromised, any passwords used in the scp process
> will have been stored as plaintext on your server, so you will need to
> change every password just to be safe.
>
> Do not trust any of the binaries on the server as they could easily have
> been compromised (such as init, sh, ps, ls, df, etc.)
>
> A rootkit kiddie wouldn't bother changing .bashrc for a trigger, they'd
> embed it into the rooted binaries.\
>
So will local sudo: you need to flush every password from that box used
anywhere else, probe systems that colo box could reach for rootkit
violations, any SSH passphrase keys, MySQL clear text passwords, etc.
More information about the Sussex
mailing list