[TriLUG] My server hacked
Jon Carnes
jonc at nc.rr.com
Thu Sep 25 16:06:32 EDT 2003
What OS is your server? If you are running Red Hat or Mandrake, you can
boot using the Install/rescue CD and then check the integrity of
libraries and applications using the rpms.
If your server has been rooted, then you'll need to use external
applications to find the contaminated files.
You might find it simpler to simply save off your /etc directory and any
other configurations files and then do a re-install (then update every
service and make sure your firewall is up-to-snuff!).
If you save the /etc files then be sure to check on your passwd file and
to assign different passwords to root and all other users.
Good Luck - Jon Carnes
On Thu, 2003-09-25 at 15:24, Hariharan Gopalan wrote:
> Looks like my server has been hacked, wonder if someone could please help
> me find out what's been compromised.
>
> Today when I ran the "iptables -t nat -L" on my server I found this entry:
>
> DNAT tcp -- 203.196.193.102 anywhere tcp dpt:smtp myserverip:42424
> DNAT tcp -- 203.115.97.35 anywhere tcp dpt:smtp myserverip:42424
>
> I promptly removed these two rules from the chain.
>
> Am not sure how this could have gotten here.
>
> then I used visualroute to trace where this IP was and this is coming
> somewhere from India.
>
> Looks like someone has been using my server as a mail server, but I can
> not find any daemon running at 42424 port.
>
> Any ideas how I can dig into this?
>
> Any help would be very welcome.
>
> thanks a bunch
>
> Hari
>
>
>
>
>
More information about the TriLUG
mailing list