D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Server got hacked


On 25/11/13 17:40, Martijn Grooten wrote:
I agree that rebuilding the box is the most sensible thing to do, but depending on what the box is used for, it may not be the most practicle thing to do.

I am in this position...

But the alternative doesn't have to be doing nothing. Some malware targeting web servers can be pretty stealthy. At the very least I would check the integrity of the web server binary. I would also try to figure out what kind of things they tried to do - that may point to some hidden processes or files they left behind. Also: keep checking the IP address against some DNS blacklists.

They tried to install a IRC botnet, that much I know, since I have the evidence, they could not get it to run properly, due to various issues, but mainly do to the complexity the current install!

I am nearly 100% sure that they have not logged in before now (but they might have hidden their tracks) so I don't think they have done any other damage to anything.
It looks like a stealth attempt at installing a botnet client.
They wouldn't want me to find out about it or I would clean/reinstall the server. I notice they were issuing w commands (I assume to see if anyone was logged in)


Email: stinga+dclug@xxxxxxxxxxxxx   o
You need only two tools.        o /////
A hammer and duct tape. If it    /@   `\  /) ~
doesn't move and it should use  >  (O)  X<  ~  Fish!!
the hammer. If it moves and      `\___/'  \) ~
shouldn't, use the tape.           \\\

The Mailing List for the Devon & Cornwall LUG
FAQ: http://www.dcglug.org.uk/listfaq