On Thu, 16 Nov 2006 16:16:34 -0700, Robin Laing wrote: > Amadeus W. M. wrote: >> On Thu, 16 Nov 2006 10:26:20 -0600, olga wrote: >> >> >>>Hi, >>> >>> I wrote about kernel errors which somebody pointed out was because the >>>server was running out of memory. >>> >>>Now I found the following which makes me think that that server may have >>>been compromized. > > snip > >> If you can, unplug the network wire (though if they know what they are >> doing, your hard drive might be wiped off when their scripts detect that >> the network is down. It's your call.). Run rpm -V from a rescue cd (not the >> one in /usr/bin) on procps, net-tools, and the other essential system >> utilities (including rpm itself). Then you'll know for sure. >> > > Just posting a question in regards to this statement. > > How about pulling the plug and fscking the drive using the rescue CD? > Not the best idea but could save a total wipe. > fsck checks the integrity of the file system (orphan inodes and such), not what's on it. I meant the hackers might have left some program behind to wipe off the drive to remove all their traces when the network goes down. The actions the victim will take are a different story, and might take depend on what's at stake. When I was hacked (a vulnerability in rpc.statd in RH6.2), there wasn't any sensitive data on the drive, so pulling the plug was not high risk. Script kiddies usually don't care to clean up after themselves, they leave behind a load of hacking tools. The former KGB agent, or the former FBI agent, on the other hand... If the victim is an important server, it might not even be possible (or easy) to take it off the network without some prior notice to the users. So it's the administrator's decision. It must be swift though, as a hacked machine is being used to scan and break into other machines. In fact that's how I new I was hacked, I started to receive emails from various universities that my machine was trying to break in into theirs.
