Hmm, don't just focus on the server, and don't do anything drastic to alert that you're onto him/her! Goto your permeter devices and turn on logging like mad (routers/firewall) so you can codify events (assuming that he/she is coming from the outside). Also, on the inside, pop in a sniffer on that subnet and capture everything - if you can't read the traffic at least you can start homing-in on where it's originating, and that might divulge what programs/services are been hacked... START A CHAIN-of events!!!! Document everything you notice and what you do/did but try not to change the system - if it goes to court you'll need it. Wish I could offer more but I'm not a unix/linux expert (yet). Please keep us informed to let us know the progress. On 10/12/06, Manuel Arostegui Ramirez <manuel@xxxxxxxxxxxxxx> wrote:
El Jueves, 12 de Octubre de 2006 14:11, mark escribió: > Steve Buehler wrote: > > Ok. It looks like I have been hacked and they have put in a directory > > in my webspace that is just a space. In there, is 2 directories and 1 > > file: > > -rwxr-xr-x 1 root root 0 Oct 12 00:01 php.php > > drwxr-xr-x 2 48 48 4096 Oct 11 23:54 signin.ebay.com > > drwxrwxrwx 2 root root 4096 Oct 11 23:54 www.paypal.com > > > > I can delete everything in the 2 directories, and edit/change the > > php.php file to empty it out because it was a php script that allowed > > someone to do anything on the server they wanted, but I can not for the > > life of me delete them. I thought maybe they replaced the /bin/rm file, > > but it does not appear to be a hacked "rm". > > chkrootkit. Get it. Use it, now! > > mark rkhunter would do the trick too. -- Manuel Arostegui Ramirez. Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues. -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
-- /==========The One===========\ RacerX, MCP, MCPI, MCSE Active member "170 MPH Club" Microsoft Certified Systems Engineer/WebMaster/Web Developer "...not all super heroes wear a cape...some ride a Suzuki GSX1300R..." -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subjecthttps://www.redhat.com/mailman/listinfo/redhat-list
