Chris, The first thing to do is download and run the chkrootkit and rkhunter programs. It It sounds like you might have a rootkit installed, and these programs may be able to identify which one you have. Honestly, this information may turn out not to be too useful since you are already cracked, but you should get these programs anyway and start running them on a regular basis. They can at least help you to quickly notice if something like this ever happens again. chkrootkit: http://www.chkrootkit.org/ rkhunter: http://www.rootkit.nl/projects/rootkit_hunter.html As for how you were cracked, don't assume that it was through an unpatched vulnerability. I work for a very large ISP and I see cracked servers a few times a week and many break ins are done by exploiting improperly configured security. For example, check to see if your /tmp directory is mounted with the noexec and nosuid options. Just enabling those options can prevent a lot of cracks since many attacks rely on being able to exploit a weak cgi script to upload a program into /tmp and run it. And, of course, cgi scripts are frequently a way for attackers to gain access to your system. I would suggest that before you reinstall, you should save copies of all of your log files, and also save the output of the "rpm -qa" command to get a list of all the installed software on your system. You can use the list to see if you had any versions of packages with known security holes, and you can use the logs, especially the web server logs, to see if there were any strange web requests around the time the crack occurred, such as someone running a cgi-script with lot's of garbage characters on the request line. Another way attackers can get a foot in the door is by scanning your system for users who have set their passwords to be the same as their usernames. You would not believe how common this is, and once the attacker has a login to your system - any login - he or she can usually find some way to gain further access, and maybe even root. I don't know if you are doing shared hosting on your server, but if you are you should make sure that all of your users pick secure (or at least non-trivial) passwords. I expect you will want to get the server up and running again ASAP and won't be spending a lot of time on disecting the old drive, so just be sure to keep on eye on the new system, log everything, and scan it frequently. Good luck! Getting cracked like this is no fun at all and can really cost money if your business depends on it. Try to use this opportunity to learn as much as you can about security so you can prevent this from happening again. For more info, you might try asking on the message boards At EV1 (http://forum.ev1servers.net) and WebHosting Talk (http://www.webhostingtalk.com). The people on these boards are mostly running webservers on RedHat and they have good advice to offer. (Disclaimer: I work for EV1.) Eris Caffee -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
