possibly hacked

Robin Laing Robin.Laing at drdc-rddc.gc.ca
Mon Nov 20 15:57:01 UTC 2006 

Amadeus W. M. wrote:
> On Thu, 16 Nov 2006 16:16:34 -0700, Robin Laing wrote:
> 
> 
>>Amadeus W. M. wrote:
>>
>>>On Thu, 16 Nov 2006 10:26:20 -0600, olga wrote:
>>>
>>>
>>>
>>>>Hi,
>>>>
>>>>I wrote about kernel errors which somebody pointed out was because the
>>>>server was running out of memory.
>>>>
>>>>Now I found the following which makes me think that that server may have
>>>>been compromized.
>>
>>snip
>>
>>
>>>If you can, unplug the network wire (though if they know what they are
>>>doing, your hard drive might be wiped off when their scripts detect that
>>>the network is down. It's your call.). Run rpm -V from a rescue cd (not the
>>>one in /usr/bin) on procps, net-tools, and the other essential system
>>>utilities (including rpm itself). Then you'll know for sure.
>>>
>>
>>Just posting a question in regards to this statement.
>>
>>How about pulling the plug and fscking the drive using the rescue CD? 
>>Not the best idea but could save a total wipe.
>>
> 
> 
> fsck checks the integrity of the file system (orphan inodes and such), not
> what's on it. 
> 
> I meant the hackers might have left some program behind to wipe off
> the drive to remove all their traces when the network goes down. 
> 
> The actions the victim will take are a different story, and might take
> depend on what's at stake. When I was hacked (a vulnerability in rpc.statd
> in RH6.2), there wasn't any sensitive data on the drive, so pulling the
> plug was not high risk. Script kiddies usually don't care to clean up
> after themselves, they leave behind a load of hacking tools. The former
> KGB agent, or the former FBI agent, on the other hand... If the victim is
> an important server, it might not even be possible (or easy) to take it
> off the network without some prior notice to the users. So it's the
> administrator's decision. It must be swift though, as a hacked machine is
> being used to scan and break into other machines. In fact that's how I new
> I was hacked, I started to receive emails from various universities that
> my machine was trying to break in into theirs.
> 

I was only thinking in the terms of a script to wipe out the drives/data 
being implemented on shutdown.  That is why I left the part about "your 
hard drive might be wiped off when their scripts detect that the network 
is down".  I wasn't thinking in terms of checking/verifying 
data/programs.  That was already discussed by booting into Rescue Mode. 
  I should have made myself clearer.

A hard crash is a good way to stop any running program.
-- 
Robin Laing

More information about the users mailing list