URN Logo
UNIX Resources » Linux » Linux Forum » Linux Security » Page.22 » HELP - Have attack my Server
announcement The content of this page is collected from Linux Forum, All copyrights and other associated rights are reserved by the original authors of the articles.
Resources
China Linux Forum(finished)
Linux Forum(finished)
FreeBSD China(finished)
linuxforum.com
  LinuxForum General Chat
  Linux Advocacy
  LinuxForum Polls
  Introductions
  Linux Kernel Support
  Patch Management
  Development Release
  Linux Programming
  Linux Security
  Linux Software
  Linux Hardware Problems
    Linux Video Problems
    Linux Sound Problems
  Linux Networking Support
  Linux Printing Support
  Linux Human Interface Devices Support
  Linux Data Storage Support
  Linux Applications Support
  Linux Installation Support
  Linux Laptops Support
  Linux Motherboard, Chipsets, CPU, Memory
  Miscellaneous
  Debian Linux Support
  Ubuntu Linux Support
  LiveCD Discussions
  Gentoo Linux Support
  Mandrake Linux Support
  Redhat / Fedora Linux Support
  Slackware Linux Support
  SuSE Linux Support
  CentOS Linux Support
  Linux Web Servers
  Linux DNS Servers
  Linux Database Servers
  Linux Email Servers
  Linux FTP Servers
  Linux Squid Proxy Server
  Linux Samba Help
  Linux cPanel Help
  Linux Ensim Help
  Linux Plesk Help
  Linux Webmin / Usermin Help
  Qmail Toaster Help
  Linux Games
  Windows Game Emulation
  Linux Discussions
  General Linux Discussions
  Red Hat Linux Discussions
  More Red Hat Linux Discussions
  Mandrake Linux Discussions
  Slackware Linux Discussions
  SuSE Linux Discussions
  Debian Discussions
  Samba Help
  Linux Security
  Linux Networking
  Gentoo Help
  Operating System Rant Forum
  Hardware Rants
   
HELP - Have attack my Server
Subject: HELP - Have attack my Server
Author: Pisinho    Posted: 2004-08-13 01:55:33    Length: 692 byte(s)
[Original] [Print] [Top]
Hi,
I have a server with Qmail, Apache2, Freeradius, MySQL and BIND.

I have firewalled this server with open port of this service.

Recently I have found this daemon which running :

../https www.uol.com.br 80 10000 xx

My bandwith is down, and don't have idea where is the bug,
I have change the password for root and unique user but the attacker is
every logged...

Please help me.

P.S.: don't have log, the hacker clean the log....


Thanks.


--
Posted via Mailgate.ORG Server - http://www.Mailgate.ORG

[Original] [Print] [Top]
Subject: HELP - Have attack my Server
Author: Tim Haynes    Posted: 2004-08-13 06:34:16    Length: 1,751 byte(s)
[Original] [Print] [Top]
"Pisinho" [linux@fol.it] writes:

QUOTE
I have a server with Qmail, Apache2, Freeradius, MySQL and BIND.

I have firewalled this server with open port of this service.

Recently I have found this daemon which running :

./https www.uol.com.br 80 10000 xx

My bandwith is down, and don't have idea where is the bug,
I have change the password for root and unique user but the attacker is
every logged...

So now they know
    a) you're onto them
    b) root's new password
    c) what users are important to you
    d) what their password-choice strategy is like.

That was not clever.

QUOTE
Please help me.

P.S.: don't have log, the hacker clean the log....

[http://www.cert.org/tech_tips/win-UNIX-system_compromise.html]

[http://www.linuxsecurity.com/docs/colsfaq.html] as well. What didn't you
do right, in order to get cracked?

~Tim
--
   13:30:37 up 16 days, 18:21,  3 users,  load average: 0.01, 0.11, 0.15
piglet@stirfried.vegetable.org.uk |As long as I can see the morning
http://spodzone.org.uk/cesspit/   |And blossom turns to bud again in spring

[Original] [Print] [Top]
Subject: HELP - Have attack my Server
Author: Gandalf Parker    Posted: 2004-08-13 10:21:57    Length: 793 byte(s)
[Original] [Print] [Top]
"Pisinho" [linux@fol.it] wrote in
news:b3f87c4181d697d1fd51fd431d9fb405.100471@mygate.mailgate.org:

QUOTE
P.S.: don't have log, the hacker clean the log....

You didnt say what linux you have.
Sounds like it might be an older rootkit.
Try these commands...

ls -blaRt /dev |grep "^-"
grep -v :x: /etc/passwd
find / |grep tcp.log

You might also try..
strings /bin/ps |grep /
but that is going to give you some results. Unless you have seen it before
you might not spot the change

Gandalf  Parker

[Original] [Print] [Top]
Subject: HELP - Have attack my Server
Author: jayjwa    Posted: 2004-08-15 11:22:56    Length: 933 byte(s)
[Original] [Print] [Top]
On 2004-08-13, Pisinho [linux@fol.it] wrote:
QUOTE
Hi,
I have a server with Qmail, Apache2, Freeradius, MySQL and BIND.

I have firewalled this server with open port of this service.

Recently I have found this daemon which running :

./https www.uol.com.br 80 10000 xx

My bandwith is down, and don't have idea where is the bug,
I have change the password for root and unique user but the attacker is
every logged...

Please help me.

P.S.: don't have log, the hacker clean the log....


I see the "test"/"guest" SSH attacks got you :P


--
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++

[Original] [Print] [Top]
« Previous thread
My Redhat 9.0 was just hacked to death - help
Linux Security
Page. 22
Next thread »
Susefirewall restricting IP access
     

Copyright © 2007 UNIX Resources Network, All Rights Reserved.      About URN | Privacy & Legal | Help | Contact us
Powered by FreeBSD    webmaster: webmaster@unixresources.net
This page created on 2007-08-01 13:10:46, cost 0.025802135467529 ms.