[vox-tech] lugod.org cracked?
Rod Roark
rod at sunsetsystems.com
Tue Feb 15 13:36:44 PST 2005
I'm going on the assumption currently that they broke in via
apache and did not get root... nothing suggests otherwise
so far.
I've killed all apache processes and am checking all files
and directories writable by apache.
Thanks,
-- Rod
On Tuesday 15 February 2005 01:14 pm, ME wrote:
> Also, you will want to look at processes that are still running. Check out
> inetd. Use your fu from /proc/PID/*exe* and dump to files and service
> daemons. do a cmp of the dumped data with the actual executable on disk.
> If the item in memory != app on disk, that is a sign that the service you
> see may not be yours and they should be inspected more closely.
>
> use lsof and look at what files are opened by various daemons-- especially
> those you suspect of not being your own.
>
> Odds are in favor that they still have a process running on your box and
> it is set to auto-start on reboot and/or kill -- common to have a parent
> process that does little and is called something like -bash whose only
> purpose is to respawn the trojan upon termination.
>
> You have a lot of work ahead of you.
> Good luck :-)
>
> -ME
>
> ME said:
> > 2 tools:
> > 1) Rootkit with local exploits
> > 2) IRC Relay with authentication and bounce... probably a file server for
> > dcc requests of pr0n, movies, or music.
> ...
> _______________________________________________
> vox-tech mailing list
> vox-tech at lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech
More information about the vox-tech
mailing list