Has my server been hacked?
Jason Dewayne Clinton
me at jasonclinton.com
Sun Nov 13 12:31:11 CST 2005
On Sunday 13 November 2005 09:58 am, Matt Graham wrote:
> Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient)
> Checking `chkutmp'... The tty of the following user process(es) were
> not found
> in /var/run/utmp !
> Searching for suspicious files and dirs, it may take a while...
> /usr/lib/j2se/1.4/jre/.systemPrefs
> /usr/lib/j2se/1.4/jre/.systemPrefs/.systemRootModFile
> /usr/lib/j2se/1.4/jre/.systemPrefs/.system.lock
> /usr/lib/j2se/1.4/jre/.systemPrefs
>
> I guess that since I even suspect that it's comproimised, I should
> reinstall.
Yea, your sentiments are correct. Unfortunately, you can't really say
with certainty that your box is clean once it has been rooted. So, I
would first get an idea of what kind of illegal stuff it has been
participating in by getting some packet captures like this:
tcpdump -s 1550 -w mydump.bin -i eth1 not port 22
Then open up mydump.bin later on another box with Ethereal. That way you
know what you might be accused of in the future and you have
documentation.
When you reinstall, be sure you reformat you partitions before you
install. Oh, an non-executables are fine to make backups of. They can't
usually carry any malicious code. Be careful of your config files
though.
--
I use digital signatures and encryption. My key is stored at pgp.mit.edu
0x8DB3BF09 FP: F628 D9D3 E57A C281 5EFE - 7DF7 B52A A393 8DB3 BF09
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://kclug.org/pipermail/kclug/attachments/20051113/26db6b7a/attachment.pgp
More information about the Kclug
mailing list