Re: an actual hacked machine, in a preserved state

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Sun, Jan 1, 2012 at 4:23 PM, Bennett Haselton <bennett@xxxxxxxxxxxxx> wrote:
>
> So, following people's suggestions, the machine is disconnected and hooked
> up to a KVM so I can still examine the files.  I've found this file:
> -rw-r--r-- 1 root root 1358 Oct 21 17:40 /home/file.pl
> which appears to be a copy of this exploit script:
> http://archive.cert.uni-stuttgart.de/bugtraq/2006/11/msg00302.html
> Note the last-mod date of October 21.

Did you do an rpm -Va to see if any installed files were modified
besides your own changes?  Even better if you have an old backup that
you can restore somewhere and run an rsync -avn against the old/new
instances.

>  Anywhere else that the logs would contain useful data?

/root/.bash_history might be interesting.  Obviously this would be
after the fact, but maybe they are trying to repeat the exploit with
this machine as a base.

-- 
  Les Mikesell
    lesmikesell@xxxxxxxxx
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux