On Saturday 24 August 2002 12:50 pm, you wrote:
> Hello Darr
>
> On 24-Aug-02, you wrote:
> > Hello again,
> >
> > I posted a thread last week regarding the apparent take over of my server
> > by some external source.
> >
> > Thanks to all for the information on ckrootkit and the like. I ran the
> > tools and it reported many missing files, but no direct hits for being
> > rooted, however I am still unable to explain the events that occurred
> > last weekend to my server.
> >
> > It has been suggested by some that perhaps my local email was being
> > scanned by whatever or whoever it was and they left covering as much as
> > their trail as possible after I sent my request for help. The fact that
> > so many of the services just disappeared and numbers of files that just
> > vanished may lend credibility to that theory.
> >
> > I have managed to restore most of my services, however I am unable to
> > regain full usage of mail, ftp or samba.
>
> <SNIP>
>
> Manged to restore ?
>
> You tried to repair it ?
>
> As was the suggestion, you should have put in a new hard drive and restored
> a previously good backup to it or just started from a fresh OS install if
> you have no backups.
>
> Toolkit's look for signatures, much like a virus checker does. It may not
> find everything which is why you start over. Most people like to keep the
> 'contaminated' drive.
>
> You are skating on thin ice.
>
> Be afraid, be very afraid.
>
> Obviously, a restore from a regular backup prior to the event, should have
> fixed everything.
>
> If it hasn't, you can only assume that the 'intruders' took control
> (rooted you) and jumped to every machine on you lan. ie. they are ALL
> contaminated.
>
> You will have to be more specific/clear about what you have done.
>
>
> Regards...Martin
I have been trying to repair. I have changed my root passwords and ran
antivirus on all the M$ boxes. I looked to make sure only the appropriate
permissions belong to the appropriate users.
I have been uneasy all week trying to patch it. My last two backups are both
suspect as they both occured since the time that I now suspect the issue was
going on.
Thanks
Darr
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 16:56:03 EDT