[wplug] Need some help
fobitt
fobitt at gmail.com
Sun Oct 22 19:25:39 EDT 2006
Before running anything like chkrootkit or rkhunter you are going to
want to get a bit-level copy of the server's hard drives. A tool like
rkhunter is going to stomp all over the MAC times which will make
things more difficult if you decide to turn it over to a forensics
analyst. If you can afford to take the machine offline for a little
while, I would download a copy of the Helix Live CD available at
http://www.e-fense.com/helix/. Use dd or dcfldd (or if you boot from
the LiveCD you can use the GUI front end called Adepto) to acquire
the image to either a removable hard drive or pipe it over the
network using netcat. That way you can at least preserve most of the
important data. Also, do not rely on the operating system to be
honest with you. Most of the root kits that are in use right now will
subvert your standard tools like ls, ps and so on. You the static
binaries that are also available on the helix disk.
Also if you have any network logs (IE on your gateway) now would be a
good time to burn them to disk. Take analyze a lot of syslog files I
usually use a tool call sawmill that makes it a lot easier. I'd
offer to walk you through some of this stuff more directly, but I am
out of town right now.
On Oct 22, 2006, at 7:07 PM, Tom Rhodes wrote:
> On Sun, 22 Oct 2006 18:49:11 -0400
> "Ken Rambler" <ken at ramblernet.com> wrote:
>
>> WPLUG Friends,
>>
>> I'm needing some assistance with a server issue.
>>
>> Within the past 2 days, I've had one server compromised where a
>> PayPal spoof
>> site was set up. I'm looking for someone that can help me identify
>> the means
>> used to gain access. I'd prefer to speak by phone rather than post
>> my server
>> settings and risk further exploits.
>>
>> If you can spare a few minutes, I would appreciate it. Send me a
>> reply and I
>> can share the contact number, its in the Pittsburgh area.
>
> rkhunter is your friend.
> yum update (or FreeBSD-update on my system) is useful.
> check your system logs.
>
> --
> Tom Rhodes
> _______________________________________________
> wplug mailing list
> wplug at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug
More information about the wplug
mailing list