[nzlug] compromised server?
Robert
razza at razza.org
Sat May 12 18:46:44 NZST 2007
Also look at running some rootkit detection tools on the box such as
Rootkit Hunter "http://www.rootkit.nl/" and chkrootkit
http://www.chkrootkit.org/ its a good idea to use these tools on a
regular basis that way the rootkit detection tools can also tell you if
anything in your environment has changed since the last sweep.
If in doubt setup a replacement server for the compromised one and take
the server offline for some serious investigation.
Rob
yuri wrote:
> On 10/05/07, Michael J. Knox wrote:
>> Log files, /var/log/, shell history of the users you have on the install
>> are probably good places to start. Does sudo under ubuntu log to its own
>> file? I am not sure, debian sarge doesn't by default. I use logwatch to
>> tell me some of the above.
>>
>> apache logs, /var/log/apache2/, would probably provide useful insight.
>
> Be aware that a cracker may have modified the logs to hide his tracks.
> A cracker may also install cracked versions of tools like 'ps' to hide
> any trojan services running on that box.
>
> Placing a hub (or switch with a monitoring port) between the suspect
> box and the router to the outside world will allow you to sniff
> traffic with another computer.
>
> Yuri
>
> _______________________________________________
> NZLUG mailing list NZLUG at linux.net.nz
> http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
>
> !DSPAM:464555b830111238162646!
>
>
>
More information about the NZLUG
mailing list