Hi all,
Well... bad day for me.
One of our servers was hacked (woody)... badly, from what I can see. A
whole bunch of binaries have been modified, and strange processes are
running on the server. The hack date appears to be jun 6.
Is there a document somewhere, or procedure, to recover after this? This
is a working and running system, so somehow need to be able to recover
from this with minimal impact to end-users.
Some things like:
www-data 17451 0.0 0.0 2164 928 ?S02:31 0:00 /bin/sh
www-data 21550 0.0 0.0 1232 236 ?S05:02 0:00 ./x
www-data 21551 0.0 0.0 00 ?Z05:02 0:00 [x
]
root 21552 0.0 0.0 00 ?Z05:02 0:00 [modprobe
]
root 12266 0.0 0.0 1264 252 ?T07:15 0:00 date +%d
Anyone seen anything like this? Could this be the kernel hack ppl were
talking about affecting 2.4.17?
Guess you guys would know a lot about this stuff...
Any help and suggestions greatly appreciated.
Sincerely,
Jas
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]