possibly hacked
Robin Laing
Robin.Laing at drdc-rddc.gc.ca
Mon Nov 20 15:57:01 UTC 2006
Amadeus W. M. wrote:
> On Thu, 16 Nov 2006 16:16:34 -0700, Robin Laing wrote:
>
>
>>Amadeus W. M. wrote:
>>
>>>On Thu, 16 Nov 2006 10:26:20 -0600, olga wrote:
>>>
>>>
>>>
>>>>Hi,
>>>>
>>>>I wrote about kernel errors which somebody pointed out was because the
>>>>server was running out of memory.
>>>>
>>>>Now I found the following which makes me think that that server may have
>>>>been compromized.
>>
>>snip
>>
>>
>>>If you can, unplug the network wire (though if they know what they are
>>>doing, your hard drive might be wiped off when their scripts detect that
>>>the network is down. It's your call.). Run rpm -V from a rescue cd (not the
>>>one in /usr/bin) on procps, net-tools, and the other essential system
>>>utilities (including rpm itself). Then you'll know for sure.
>>>
>>
>>Just posting a question in regards to this statement.
>>
>>How about pulling the plug and fscking the drive using the rescue CD?
>>Not the best idea but could save a total wipe.
>>
>
>
> fsck checks the integrity of the file system (orphan inodes and such), not
> what's on it.
>
> I meant the hackers might have left some program behind to wipe off
> the drive to remove all their traces when the network goes down.
>
> The actions the victim will take are a different story, and might take
> depend on what's at stake. When I was hacked (a vulnerability in rpc.statd
> in RH6.2), there wasn't any sensitive data on the drive, so pulling the
> plug was not high risk. Script kiddies usually don't care to clean up
> after themselves, they leave behind a load of hacking tools. The former
> KGB agent, or the former FBI agent, on the other hand... If the victim is
> an important server, it might not even be possible (or easy) to take it
> off the network without some prior notice to the users. So it's the
> administrator's decision. It must be swift though, as a hacked machine is
> being used to scan and break into other machines. In fact that's how I new
> I was hacked, I started to receive emails from various universities that
> my machine was trying to break in into theirs.
>
I was only thinking in the terms of a script to wipe out the drives/data
being implemented on shutdown. That is why I left the part about "your
hard drive might be wiped off when their scripts detect that the network
is down". I wasn't thinking in terms of checking/verifying
data/programs. That was already discussed by booting into Rescue Mode.
I should have made myself clearer.
A hard crash is a good way to stop any running program.
--
Robin Laing
More information about the users
mailing list