Hi there, I feel for you. Been there myself before I installed a firewall router. (Very useful, BTW, to restrict access to only your customers IPs instead of the whole world.)
There isn't really enough info provided here to know for sure, but it might be that when you were hacked, your inetd.conf file was hacked as well closing services to the world. Maybe even your MySQL user/hosts tables, so check permissions there as well. Some rootkits will restrict access after they have hacked a machine to make sure that their hack doesn't get overwritten by some other hacker. This can also lock you out of the machine except from the direct console. So you might want to check your inetd configuration and hit http://www.sans.org, http://www.incidents.org, and http://www.dshield.org for more info. Things to search for might be t0rn rootkit, ramen worm, l0in, etc. Here's a link about the ramen worm to get you started. http://www.sans.org/y2k/ramen.htm It also contains a link to a script to detect the worm on your server. Of course, after you get things a little more under control, you'll need to reinstall OS, change passwords, etc. You might also want to post the exploit via http://www.incidents.org. Best of luck! -Joe > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Monday, December 03, 2001 10:26 AM > To: [EMAIL PROTECTED] > Subject: Hacked Servers > > > Hi > > We have 2 Redhat 6.1 servers and MySQL 3.22.32 and both boxes > appear to have been hacked on Friday last and MYSQL client just hangs > when connecting to the localhost MYSQL server. > > MySQL is running on both boxes and suffer the same problems. > > We also have to use kill -9 pid number to kill the server(s). > > No MySQL client can connect remotely to either of these > machines however the > local MySQL client on the hacked server(s) can connect to > other remote MySQL > servers. > > We have re-installed MySQL server on this hacked server and > still the client > just hangs and no > errors in the logs appear. > > We have Intrusion software but its very long winded trying to > find how to > fix it - and ultimately we will re-install. > (but first I have 600 clients per server to please!) > > Please HELP we and all our tech guys are stumped. > > Any more info please ask. > > Kind regards > > Tony > > > > > > > --------------------------------------------------------------------- > Before posting, please check: > http://www.mysql.com/manual.php (the manual) > http://lists.mysql.com/ (the list archive) > > To request this thread, e-mail <[EMAIL PROTECTED]> > To unsubscribe, e-mail > <[EMAIL PROTECTED]> > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php > > --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
