Has my server been hacked?
Don Erickson
derick at zeni.net
Sun Nov 13 10:20:05 CST 2005
On Sun, 13 Nov 2005, Matt Graham wrote:
> I wrote to this guy and asked him what he meant. There ARE a lot of
> pictures of me and my sister on that website. Vacation pics and things.
Ah, so he meant that the website on the attacking IP was riddled with
pictures of you and your sister? That at least makes some degree of
sense, and assuming that the email was sent to an address that was on the
website rather than "webmaster at ip.add.res.ss" these are all good clues as
to the legitimacy of the email.
> I ran chkrootkit and the only (possibly) negative results I got were:
>
> Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient)
> Checking `chkutmp'... The tty of the following user process(es) were not
> found
> in /var/run/utmp !
> Searching for suspicious files and dirs, it may take a while...
> /usr/lib/j2se/1.4/jre/.systemPrefs
> /usr/lib/j2se/1.4/jre/.systemPrefs/.systemRootModFile
> /usr/lib/j2se/1.4/jre/.systemPrefs/.system.lock
> /usr/lib/j2se/1.4/jre/.systemPrefs
>
> I guess that since I even suspect that it's comproimised, I should reinstall.
Reinstalling from disc probably won't remove the exploited hole. There's
lots of ways to exploit security holes without being root. There's
another awstats vulnerability that lets anyone run perl commands on a box
that runs it. I'd check the apache logs, grep for awstats and see if
anything interesting comes up, if you're running awstats.
What distribution are you running, and do you subscribe to the security
mailing list for that distro?
Regards,
-Don
More information about the Kclug
mailing list