l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
September 2: Social gathering
Next Installfest:
TBD
Latest News:
Aug. 18: Discounts to "Velocity" in NY; come to tonight's "Photography" talk
Page last updated:
2005 Feb 15 14:35

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] lugod.org cracked?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] lugod.org cracked?



I'm going on the assumption currently that they broke in via
apache and did not get root... nothing suggests otherwise
so far.

I've killed all apache processes and am checking all files
and directories writable by apache.

Thanks,

-- Rod

On Tuesday 15 February 2005 01:14 pm, ME wrote:
> Also, you will want to look at processes that are still running. Check out
> inetd. Use your fu from /proc/PID/*exe* and dump to files and service
> daemons. do a cmp of the dumped data with the actual executable on disk.
> If the item in memory != app on disk, that is a sign that the service you
> see may not be yours and they should be inspected more closely.
> 
> use lsof and look at what files are opened by various daemons-- especially
> those you suspect of not being your own.
> 
> Odds are in favor that they still have a process running on your box and
> it is set to auto-start on reboot and/or kill -- common to have a parent
> process that does little and is called something like -bash whose only
> purpose is to respawn the trojan upon termination.
> 
> You have a lot of work ahead of you.
> Good luck :-)
> 
> -ME
> 
> ME said:
> > 2 tools:
> > 1) Rootkit with local exploits
> > 2) IRC Relay with authentication and bounce... probably a file server for
> > dcc requests of pr0n, movies, or music.
> ...
> _______________________________________________
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Sunset Systems
Who graciously hosts our website & mailing lists!