Re: possibly hacked

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, 16 Nov 2006 16:16:34 -0700, Robin Laing wrote:

> Amadeus W. M. wrote:
>> On Thu, 16 Nov 2006 10:26:20 -0600, olga wrote:
>> 
>> 
>>>Hi,
>>>
>>> I wrote about kernel errors which somebody pointed out was because the
>>>server was running out of memory.
>>>
>>>Now I found the following which makes me think that that server may have
>>>been compromized.
> 
> snip
> 
>> If you can, unplug the network wire (though if they know what they are
>> doing, your hard drive might be wiped off when their scripts detect that
>> the network is down. It's your call.). Run rpm -V from a rescue cd (not the
>> one in /usr/bin) on procps, net-tools, and the other essential system
>> utilities (including rpm itself). Then you'll know for sure.
>> 
> 
> Just posting a question in regards to this statement.
> 
> How about pulling the plug and fscking the drive using the rescue CD? 
> Not the best idea but could save a total wipe.
> 

fsck checks the integrity of the file system (orphan inodes and such), not
what's on it. 

I meant the hackers might have left some program behind to wipe off
the drive to remove all their traces when the network goes down. 

The actions the victim will take are a different story, and might take
depend on what's at stake. When I was hacked (a vulnerability in rpc.statd
in RH6.2), there wasn't any sensitive data on the drive, so pulling the
plug was not high risk. Script kiddies usually don't care to clean up
after themselves, they leave behind a load of hacking tools. The former
KGB agent, or the former FBI agent, on the other hand... If the victim is
an important server, it might not even be possible (or easy) to take it
off the network without some prior notice to the users. So it's the
administrator's decision. It must be swift though, as a hacked machine is
being used to scan and break into other machines. In fact that's how I new
I was hacked, I started to receive emails from various universities that
my machine was trying to break in into theirs.

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux