[wellylug] Think I've had a server hacked
Wayne Koorts
wkoorts at gmail.com
Wed Oct 26 10:38:07 NZDT 2005
Hi Mark,
You have definitely been hacked. The very first thing you need to do
is remove the period "." from the PATH environment variable that he's
added. Normally what they'd do is copy a set of trojans in disguised
as normal commands (cd, ls, grep etc.) and try and lure you into a
folder (usually by creating a really large file or something) which
contains these. The period in the PATH variable then means that it
will look for commands in the current folder, thus executing the
trojans which you think are normal commands.
Make sure that your root password is changed immediately and also
delete anything that they've downloaded onto the system and clear your
/tmp folder if there's nothing in there that you need. Another thing
is to make sure that you're using shadowed passwords which are MD5
encrypted and that there are no stale users on the system. That means
delete any old accounts and make sure that all users have strong
passwords. And make sure you have the latest security updates
available. Although RH 7.2 is probably not supported anymore.
HTH!
--
Regards,
Wayne Koorts
Registered Linux User #330079
www.wkoorts.com
More information about the wellylug
mailing list