April 14th, 2003, 02:59 PM
I hope this is the right place for this, but here goes.
One of my clients (that don't give two hoots about upgrading and patching... go figure) got cracked. I know this because when you type #init 6 you get:
[root@xxxxxx mail]# init 6
\~x.X' world for sonhonhocas crew
U bambulua house
*****: Got signal 11 while manipulating kernel!
* was not a *
Can anyone tell me how I could fing out more about what this person did. He/She covered it's tracks in the logs quite well.
April 14th, 2003, 03:59 PM
What OS is this on...I'm guess some version of *nix.
With tha I amy be able to help
Ok I can help with out that info....who have you been letting on your system?
someone installed a rootkit called suckit
here is the readme for the rootkit with info on defeateing it
here is a guys experience with finding and removeing it
April 14th, 2003, 04:24 PM
My recommendation to you would be to salvage what data you can (and carefully review it for manipulation and/or backdoors) and reinstall the OS, making sure to take the time to patch and lock down the server. This is the only way you can be 100% sure that there are no other backdoors or things you may have missed, and maybe if your client loses a little data, they will take locking down their box a little more seriously.
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
April 15th, 2003, 06:51 AM
Salvage and restore is pretty much what I am doing. Sorry I did not mention that it was red hat 7.3 running as a mail server with httpd running. Thanx again, I need to get back to restoring all the mail users.
April 30th, 2003, 10:56 PM
I would have to agree with most of the post, recover and reload what you can. Who knows what they did or got into without some sort of log.
May 1st, 2003, 12:04 AM
Man, I am sorry that happened to you. Was the web page defaced?
Also, you might wanna check for rootkits installed...
Is that the full doc left behind?
Lastly, it is kinda interesting to note HOW these guys left thier calling card behind. It is very unfortunate this happened to you, but thanks for sharing.
May 1st, 2003, 12:53 AM
lookup their 'calling card' with google, you`ll be amazed at how a line of words can trace people down, i got the address of someone who defaced a site of mine because of a lame host and with their group name i found their site, with the owner putting his address and phone number down which i looked up from the dns. I didn't do anything though, as i didn't use the site, but it's amazing just how much you can find out if you know how and where to look.
May 1st, 2003, 01:13 AM
lmao my guess whoever did this wasnt decent or professional enough to leave a backup of the damaged files.