Results 1 to 8 of 8

Thread: Hacked

  1. #1
    Member
    Join Date
    Jan 2003
    Posts
    64

    Hacked

    I hope this is the right place for this, but here goes.

    One of my clients (that don't give two hoots about upgrading and patching... go figure) got cracked. I know this because when you type #init 6 you get:

    >
    [root@xxxxxx mail]# init 6
    _ __/|
    \~x.X' world for sonhonhocas crew
    =(___)=
    U bambulua house


    *****: Got signal 11 while manipulating kernel!
    >
    * was not a *

    Can anyone tell me how I could fing out more about what this person did. He/She covered it's tracks in the logs quite well.

    Thank you,

    ./GPF
    Dain Bramaged

  2. #2
    Senior Member
    Join Date
    Mar 2003
    Location
    central il
    Posts
    1,779
    What OS is this on...I'm guess some version of *nix.
    With tha I amy be able to help


    Ok I can help with out that info....who have you been letting on your system?

    someone installed a rootkit called suckit
    here is the readme for the rootkit with info on defeateing it
    http://hysteria.sk/sd/f/suckit/readme

    here is a guys experience with finding and removeing it
    http://www.soohrt.org/stuff/linux/suckit/

  3. #3
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    My recommendation to you would be to salvage what data you can (and carefully review it for manipulation and/or backdoors) and reinstall the OS, making sure to take the time to patch and lock down the server. This is the only way you can be 100% sure that there are no other backdoors or things you may have missed, and maybe if your client loses a little data, they will take locking down their box a little more seriously.

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  4. #4
    Member
    Join Date
    Jan 2003
    Posts
    64
    Thanks guys,
    Salvage and restore is pretty much what I am doing. Sorry I did not mention that it was red hat 7.3 running as a mail server with httpd running. Thanx again, I need to get back to restoring all the mail users.

    ./GPF
    Dain Bramaged

  5. #5

    Hacked

    I would have to agree with most of the post, recover and reload what you can. Who knows what they did or got into without some sort of log.

    Hedge

  6. #6
    Man, I am sorry that happened to you. Was the web page defaced?

    Also, you might wanna check for rootkits installed...

    Is that the full doc left behind?

    Lastly, it is kinda interesting to note HOW these guys left thier calling card behind. It is very unfortunate this happened to you, but thanks for sharing.

  7. #7
    lookup their 'calling card' with google, you`ll be amazed at how a line of words can trace people down, i got the address of someone who defaced a site of mine because of a lame host and with their group name i found their site, with the owner putting his address and phone number down which i looked up from the dns. I didn't do anything though, as i didn't use the site, but it's amazing just how much you can find out if you know how and where to look.

  8. #8
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584
    lmao my guess whoever did this wasnt decent or professional enough to leave a backup of the damaged files.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •