Mailinglist Archive: opensuse-security (465 mails)

< Previous Next >
Re: [suse-security] what hack is this and what to do against ?
  • From: Marco <marco@xxxxxxxxx>
  • Date: Fri, 21 Dec 2001 02:38:24 +0100
  • Message-id: <20011221023824.A9253@xxxxxxxxx>
On Fri, Dec 21, 2001 at 12:46:39AM +0100, Walter Raboch wrote:
> Hi folks,
>
> some of my servers where hacked the day before...
> i found some strange processes and some binaries changed and would
> like to know what hack or possible worm this is and what to do against -
> update which daemon/package ?

hi walter,

as you might know, updating packages on a hacked server isn't really a
solution. you have to install it completely new because you'll never
know what binarys/rpms have been replaced and maybe there's a rootkit
installed.

> my maschine is still running at Suse 6.2 since its a production machine
> some hundred kilometers away from me, so i cant just drive there making
> an update before Jannuary... so i apreciate any info to stabilize it
> hope you can help me...

maybe you can transfer the running service onto another server.
something like www or ftp should not be a big problem to transfer and
bring up a new server on a secure (not hacked) server. best thing is to
shut this machine off as fast as you can. think about... it could be
possible the attacker is running a sniffer or other programs to prepare new
hack attacks.

regards,
marco

--
tr@nsnet internet services phone : +49-89-48-90-33-50
lilienstr. 3-5 fax : +49-89-48-90-33-55
81669 munich/germany url : http://www.trans.net/
gpg key: mail -s "get gpg key" marco.ahrendt@xxxxxxxxx
»INSERT DISK THREE' ? But I can only get two in the drive !«

< Previous Next >
This Thread
References