Slashdot Mirror

← Back to Stories (view on slashdot.org)

Forensics On a Cracked Linux Server

Posted by kdawson on Friday August 24, 2007 @05:33AM from the hmmm-ls-looks-funny dept.

This blog entry is the step-by-step process that one administrator followed to figure out what was going on with a cracked Linux server. It's quite interesting to me, since I have had the exact same problem (a misbehaving ls -h command) on a development server quite a while back. As it turns out, my server was cracked, maybe with the same tool, and this analysis is much more thorough than the one I was able to do at the time. If you've ever wondered how to diagnose a Linux server that has been hijacked, this short article is a good starting point.

1 of 219 comments (clear)

Min score:

Reason:

Sort:

Re:Further discussion... by Andy+Dodd · 2007-08-24 06:39 · Score: 4, Interesting

On the other hand, shutting down the box ASAP makes it much harder to find the guy.

For example, one of Vodafone Greece's first reactions to finding that some of their switching systems had been rootkitted was to remove the offending software. This removal was one of the main contributing factors to the authorities having no chance to ever find the group that had compromised the system, that along with a couple of other screwups led to Vodafone getting fined a pretty hefty sum.

http://en.wikipedia.org/wiki/Greek_telephone_tappi ng_case_2004-2005

IEEE Spectrum had a recent article that had MUCH better information than Wikipedia though, I don't have it with me at the moment unfortunately.

--
retrorocket.o not found, launch anyway?