On Fri, Dec 21, 2001 at 12:46:39AM +0100, Walter Raboch wrote:
Hi folks,
some of my servers where hacked the day before... i found some strange processes and some binaries changed and would like to know what hack or possible worm this is and what to do against - update which daemon/package ?
hi walter, as you might know, updating packages on a hacked server isn't really a solution. you have to install it completely new because you'll never know what binarys/rpms have been replaced and maybe there's a rootkit installed.
my maschine is still running at Suse 6.2 since its a production machine some hundred kilometers away from me, so i cant just drive there making an update before Jannuary... so i apreciate any info to stabilize it hope you can help me...
maybe you can transfer the running service onto another server. something like www or ftp should not be a big problem to transfer and bring up a new server on a secure (not hacked) server. best thing is to shut this machine off as fast as you can. think about... it could be possible the attacker is running a sniffer or other programs to prepare new hack attacks. regards, marco -- tr@nsnet internet services phone : +49-89-48-90-33-50 lilienstr. 3-5 fax : +49-89-48-90-33-55 81669 munich/germany url : http://www.trans.net/ gpg key: mail -s "get gpg key" marco.ahrendt@trans.net »INSERT DISK THREE' ? But I can only get two in the drive !«