[SLUG] Re: Recovering from mischief

From: marrandy (marrandy@chaossolutions.org)
Date: Sat Aug 24 2002 - 08:50:57 EDT


Hello Darr

On 24-Aug-02, you wrote:

> Hello again,
>
> I posted a thread last week regarding the apparent take over of my server
> by some external source.
>
> Thanks to all for the information on ckrootkit and the like. I ran the
> tools and it reported many missing files, but no direct hits for being
> rooted, however I am still unable to explain the events that occurred last
> weekend to my server.
>
> It has been suggested by some that perhaps my local email was being
> scanned by whatever or whoever it was and they left covering as much as
> their trail as possible after I sent my request for help. The fact that so
> many of the services just disappeared and numbers of files that just
> vanished may lend credibility to that theory.
>
> I have managed to restore most of my services, however I am unable to
> regain full usage of mail, ftp or samba.
>
<SNIP>

Manged to restore ?

You tried to repair it ?

As was the suggestion, you should have put in a new hard drive and restored
a previously good backup to it or just started from a fresh OS install if
you have no backups.

Toolkit's look for signatures, much like a virus checker does. It may not
find everything which is why you start over. Most people like to keep the
'contaminated' drive.

You are skating on thin ice.

Be afraid, be very afraid.

Obviously, a restore from a regular backup prior to the event, should have
fixed everything.

If it hasn't, you can only assume that the 'intruders' took control
(rooted you) and jumped to every machine on you lan. ie. they are ALL
contaminated.

You will have to be more specific/clear about what you have done.

Regards...Martin



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 16:55:33 EDT