Re: possibly hacked

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Amadeus W. M. wrote:
On Thu, 16 Nov 2006 16:16:34 -0700, Robin Laing wrote:


Amadeus W. M. wrote:

On Thu, 16 Nov 2006 10:26:20 -0600, olga wrote:



Hi,

I wrote about kernel errors which somebody pointed out was because the
server was running out of memory.

Now I found the following which makes me think that that server may have
been compromized.

snip


If you can, unplug the network wire (though if they know what they are
doing, your hard drive might be wiped off when their scripts detect that
the network is down. It's your call.). Run rpm -V from a rescue cd (not the
one in /usr/bin) on procps, net-tools, and the other essential system
utilities (including rpm itself). Then you'll know for sure.


Just posting a question in regards to this statement.

How about pulling the plug and fscking the drive using the rescue CD? Not the best idea but could save a total wipe.



fsck checks the integrity of the file system (orphan inodes and such), not
what's on it.
I meant the hackers might have left some program behind to wipe off
the drive to remove all their traces when the network goes down.
The actions the victim will take are a different story, and might take
depend on what's at stake. When I was hacked (a vulnerability in rpc.statd
in RH6.2), there wasn't any sensitive data on the drive, so pulling the
plug was not high risk. Script kiddies usually don't care to clean up
after themselves, they leave behind a load of hacking tools. The former
KGB agent, or the former FBI agent, on the other hand... If the victim is
an important server, it might not even be possible (or easy) to take it
off the network without some prior notice to the users. So it's the
administrator's decision. It must be swift though, as a hacked machine is
being used to scan and break into other machines. In fact that's how I new
I was hacked, I started to receive emails from various universities that
my machine was trying to break in into theirs.


I was only thinking in the terms of a script to wipe out the drives/data being implemented on shutdown. That is why I left the part about "your hard drive might be wiped off when their scripts detect that the network is down". I wasn't thinking in terms of checking/verifying data/programs. That was already discussed by booting into Rescue Mode. I should have made myself clearer.

A hard crash is a good way to stop any running program.
--
Robin Laing


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux