Reinstall seems the option left...with the added security features discussed previously, monitoring the server closely after new installation. I would do the new installation in a new hard disk, saving and afterwards, installing the seemingly compromised hard disk, for a forensic analysis in a machine not connected to any network.
> i checked crontabs and i haven't found anything. but new processess > started > > www-data 6705 0.0 0.1 1616 600 ? S 21:31 0:00 > /tmp/dlciiqlno x > www-data 6762 0.0 0.0 0 0 ? Z 22:10 0:00 [sh] > <defunct> > www-data 6770 0.0 0.1 1624 608 ? S 22:10 0:00 [bdflu > > and new connections were opened > > Active Internet connections (w/o servers) > Proto Recv-Q Send-Q Local Address Foreign Address State > tcp 0 0 193.77.81.144:33276 210.169.91.66:5454 > ESTABLISHED > tcp 0 0 193.77.81.144:33281 193.201.53.88:6667 > ESTABLISHED > > Once again, /tmp/dcliiqlno doesn't exist... where is this exec file, > because i would really like to know what exactly it does.. and what is > bdflu? > > I still haven't managed to find out how exactly this happened. And > probably reinstall will be needed? What do you think? > > Thanks.. > > Ulf Harnhammar wrote: > >>On Sun, Jul 24, 2005 at 07:40:21PM +0200, Nejc Novak wrote: >> >> >>>that means, that the process was started at 17:31 today. So i checked >>> >>> >> >> >> >>>I killed the process and webserver and at 19:31 the process again >>>started with the same lines in syslog. >>> >>> >> >>Check your crontabs (in various locations) and atq. It sounds as if the >>attackers have added something there. >> >>// Ulf >> >> >> >> > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > -- -JM. Estos días azules y este sol de la infancia (Antonio Machado-1939) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
