Slashdot Mirror

← Back to Stories (view on slashdot.org)

Forensics On a Cracked Linux Server

Posted by kdawson on from the hmmm-ls-looks-funny dept.

This blog entry is the step-by-step process that one administrator followed to figure out what was going on with a cracked Linux server. It's quite interesting to me, since I have had the exact same problem (a misbehaving ls -h command) on a development server quite a while back. As it turns out, my server was cracked, maybe with the same tool, and this analysis is much more thorough than the one I was able to do at the time. If you've ever wondered how to diagnose a Linux server that has been hijacked, this short article is a good starting point.

2 of 219 comments (clear)

  1. Re:Further discussion... by Andy+Dodd · · Score: 4, Interesting

    On the other hand, shutting down the box ASAP makes it much harder to find the guy.

    For example, one of Vodafone Greece's first reactions to finding that some of their switching systems had been rootkitted was to remove the offending software. This removal was one of the main contributing factors to the authorities having no chance to ever find the group that had compromised the system, that along with a couple of other screwups led to Vodafone getting fined a pretty hefty sum.

    http://en.wikipedia.org/wiki/Greek_telephone_tappi ng_case_2004-2005

    IEEE Spectrum had a recent article that had MUCH better information than Wikipedia though, I don't have it with me at the moment unfortunately.

    --
    retrorocket.o not found, launch anyway?
  2. Who needs clever hacks? by rastoboy29 · · Score: 3, Interesting

    I work in a large, low-end datacenter.  Almost all the servers there are rented buy non-technical people, who for some reason feel qualified to run web hosting businesses.  There are so many exploits going on there at any given time, we can't really do anything about it--especially as theoretically the customer is responsible.  So when they call in because their server is running slow, we usually find a php hijack happening, tell them their server has been compromised, and suggest that they do something about it.

    It's pretty appalling.  We would need an army of sysadmins--an army which is currently employed already--to really do something about it.  Most of what we see are primitive script kiddie hacks, but guess what--that's good enough, and rarely are the perpetrators hunted down.

    Who knows what the more sophisticated hackers are up to!

    --
    expandfairuse.org