Hi, Boot your machine in single user. Run a md5sum in /sbin/init and compare with a 'secure' machine. Download http://www.chkrootkit.org and run it. It's recommended to run chkrootkit using your own static binaries on another path or CDROM (you can see which binaries is needed on chkrootkit website).
chkrootkit provides a 'string' binary. Run it on /sbin/init and look for strange expressions (usually FUCK or something like that). Its recommended to run a nightly apt-get update and apt-get upgrade to keep your machines safe. :-) There are a lot of exploits for openssl, the most used is openssl-too-open and it can exploit an non-updated version of Woody. On Tue, Apr 22, 2003 at 09:00:11PM +0200, Christian Könning wrote: > Hello List, > > I hope this is not of topic: > > My private server has been hacked: > debian woody 2.4.18bf2.4 kernel, apache-ssl, samba, squid. > > now my problem: the intruder used a rootkit, i think, cause he deleted > /var/log, symlinked /root/.bash_history > /dev/null, etc. > Is there any way to recover the evidences, e.g. the /var/log/ directory? > (ext2) > > and there three sh processes running as root? Ptrace exploit? > how can i dump this processes to file, to keep this evidence? > > > Thanks for help > > -- > Christian Koenning > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- Christiano Anderson <[EMAIL PROTECTED]> http://people.debian-rs.org/~anderson Porto Alegre/RS
