what hack is this and what to do against ?
Hi folks, some of my servers where hacked the day before... i found some strange processes and some binaries changed and would like to know what hack or possible worm this is and what to do against - update which daemon/package ? files changed or created: -rwxr-xr-x 1 root root 60296 Dez 20 20:37 /bin/netstat -r-xr-xr-x 1 root root 32756 Dez 20 20:37 /bin/ps -rw------- 1 root root 512 Dez 20 21:37 /bin/.s -rw------- 1 root root 526 Dez 20 20:37 /bin/hk -rw------- 1 root root 512 Dez 20 20:37 /bin/s -rw-r--r-- 1 root root 673 Dez 20 20:37 /bin/sc -rw-r--r-- 1 root root 880 Dez 20 20:37 /bin/ssc -rwxr-xr-x 1 root root 207272 Dez 20 15:44 /usr/bin/afb -rwxr-xr-x 1 root root 111 Dez 20 20:37 /usr/bin/hdp -rwxr-xr-x 1 root root 5008 Dez 20 20:37 /usr/bin/sn i found some scripts here: ./usr/src/wsx ./usr/src/wsx/flood ./usr/src/wsx/mass-scan ./usr/src/wsx/parser ./usr/src/wsx/cleaner ./usr/src/wsx/sz ./usr/src/wsx/tcp.log i found this process: 30056 ? S 0:01 /usr/bin/./afb -f /bin/sc -q -p 55001 -h /bin/hk my maschine is still running at Suse 6.2 since its a production machine some hundred kilometers away from me, so i cant just drive there making an update before Jannuary... so i apreciate any info to stabilize it until then... hope you can help me... thx in advance Walter Raboch
On Fri, Dec 21, 2001 at 12:46:39AM +0100, Walter Raboch wrote:
Hi folks,
some of my servers where hacked the day before... i found some strange processes and some binaries changed and would like to know what hack or possible worm this is and what to do against - update which daemon/package ?
hi walter, as you might know, updating packages on a hacked server isn't really a solution. you have to install it completely new because you'll never know what binarys/rpms have been replaced and maybe there's a rootkit installed.
my maschine is still running at Suse 6.2 since its a production machine some hundred kilometers away from me, so i cant just drive there making an update before Jannuary... so i apreciate any info to stabilize it hope you can help me...
maybe you can transfer the running service onto another server. something like www or ftp should not be a big problem to transfer and bring up a new server on a secure (not hacked) server. best thing is to shut this machine off as fast as you can. think about... it could be possible the attacker is running a sniffer or other programs to prepare new hack attacks. regards, marco -- tr@nsnet internet services phone : +49-89-48-90-33-50 lilienstr. 3-5 fax : +49-89-48-90-33-55 81669 munich/germany url : http://www.trans.net/ gpg key: mail -s "get gpg key" marco.ahrendt@trans.net »INSERT DISK THREE' ? But I can only get two in the drive !«
participants (2)
-
Marco
-
Walter Raboch