[wplug] Need some help

fobitt fobitt at gmail.com
Sun Oct 22 19:25:39 EDT 2006


Before running anything like chkrootkit or rkhunter you are going to  
want to get a bit-level copy of the server's hard drives. A tool like  
rkhunter is going to stomp all over the MAC times which will make  
things more difficult if you decide to turn it over to a forensics  
analyst.  If you can afford to take the machine offline for a little  
while, I would download a copy of the Helix Live CD available at  
http://www.e-fense.com/helix/. Use dd or dcfldd (or if you boot from  
the LiveCD you can use the GUI front end called Adepto) to acquire  
the image to either a removable hard drive or pipe it over the  
network using netcat. That way you can at least preserve most of the  
important data. Also, do not rely on the operating system to be  
honest with you. Most of the root kits that are in use right now will  
subvert your standard tools like ls, ps and so on. You the static  
binaries that are also available on the helix disk.
Also if you have any network logs (IE on your gateway) now would be a  
good time to burn them to disk.  Take analyze a lot of syslog files I  
usually use a tool call sawmill that makes it a lot easier.  I'd  
offer to walk you through some of this stuff more directly, but I am  
out of town right now.


On Oct 22, 2006, at 7:07 PM, Tom Rhodes wrote:

> On Sun, 22 Oct 2006 18:49:11 -0400
> "Ken Rambler" <ken at ramblernet.com> wrote:
>
>> WPLUG Friends,
>>
>> I'm needing some assistance with a server issue.
>>
>> Within the past 2 days, I've had one server compromised where a  
>> PayPal spoof
>> site was set up. I'm looking for someone that can help me identify  
>> the means
>> used to gain access. I'd prefer to speak by phone rather than post  
>> my server
>> settings and risk further exploits.
>>
>> If you can spare a few minutes, I would appreciate it. Send me a  
>> reply and I
>> can share the contact number, its in the Pittsburgh area.
>
> rkhunter is your friend.
> yum update (or FreeBSD-update on my system) is useful.
> check your system logs.
>
> -- 
> Tom Rhodes
> _______________________________________________
> wplug mailing list
> wplug at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug



More information about the wplug mailing list