HELP - Have attack my Server
This is a discussion on HELP - Have attack my Server within the Linux Security forums, part of the System Security and Security Related category; Hi, I have a server with Qmail, Apache2, Freeradius, MySQL and BIND. I have firewalled this server with open port ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
08-13-2004
|
|||
|
|||
HELP - Have attack my Server
Hi,
I have a server with Qmail, Apache2, Freeradius, MySQL and BIND. I have firewalled this server with open port of this service. Recently I have found this daemon which running : ../https www.uol.com.br 80 10000 xx My bandwith is down, and don't have idea where is the bug, I have change the password for root and unique user but the attacker is every logged... Please help me. P.S.: don't have log, the hacker clean the log.... Thanks. -- Posted via Mailgate.ORG Server - http://www.Mailgate.ORG 
|
|
08-13-2004
|
|||
|
|||
|
Re: HELP - Have attack my Server
"Pisinho" <linux@fol.it> writes:
> I have a server with Qmail, Apache2, Freeradius, MySQL and BIND. > > I have firewalled this server with open port of this service. > > Recently I have found this daemon which running : > > ./https www.uol.com.br 80 10000 xx > > My bandwith is down, and don't have idea where is the bug, > I have change the password for root and unique user but the attacker is > every logged... So now they know a) you're onto them b) root's new password c) what users are important to you d) what their password-choice strategy is like. That was not clever. > Please help me. > > P.S.: don't have log, the hacker clean the log.... <http://www.cert.org/tech_tips/win-UNIX-system_compromise.html> <http://www.linuxsecurity.com/docs/colsfaq.html> as well. What didn't you do right, in order to get cracked? ~Tim -- 13:30:37 up 16 days, 18:21, 3 users, load average: 0.01, 0.11, 0.15 piglet@stirfried.vegetable.org.uk |As long as I can see the morning http://spodzone.org.uk/cesspit/ |And blossom turns to bud again in spring
|
|
08-13-2004
|
|||
|
|||
|
Re: HELP - Have attack my Server
"Pisinho" <linux@fol.it> wrote in
news:b3f87c4181d697d1fd51fd431d9fb405.100471@mygat e.mailgate.org: > P.S.: don't have log, the hacker clean the log.... You didnt say what linux you have. Sounds like it might be an older rootkit. Try these commands... ls -blaRt /dev |grep "^-" grep -v :x: /etc/passwd find / |grep tcp.log You might also try.. strings /bin/ps |grep / but that is going to give you some results. Unless you have seen it before you might not spot the change Gandalf Parker
|
|
08-15-2004
|
|||
|
|||
|
Re: HELP - Have attack my Server
On 2004-08-13, Pisinho <linux@fol.it> wrote:
> Hi, > I have a server with Qmail, Apache2, Freeradius, MySQL and BIND. > > I have firewalled this server with open port of this service. > > Recently I have found this daemon which running : > > ./https www.uol.com.br 80 10000 xx > > My bandwith is down, and don't have idea where is the bug, > I have change the password for root and unique user but the attacker is > every logged... > > Please help me. > > P.S.: don't have log, the hacker clean the log.... I see the "test"/"guest" SSH attacks got you :P -- --- SIGSEGV (Segmentation fault) @ 0 (0) --- +++ killed by SIGSEGV +++
|
Linear Mode
