Results 1 to 5 of 5
  1. #1
    Join Date
    Sep 2003
    Location
    London, UK
    Posts
    188

    how do you find out how your server is compromised

    My servers been hacked, I'm putting a spare up but I'm at a loss as to see where it's been compromised.

    I'd had a couple of email warnings about it portscanning and high server loads.

    Are there any good how-to's or tutorials to help track down the problem, I don't want to put a new server up and for the same thing to happen.

    Thanks, Rob.
    Rob Johnston | LucidUK.com | [email protected]
    Who is Rob? boobear.co.uk
    MSN: [email protected] | AIM: rob at lucid

  2. #2
    Depends on what system but regardless of this you should disconnect the server from the network ASAP. If you keep the server online you risk having other (trusted) servers being hacked or damaged too, and besides it helps doing forensics on a hacked server when it's offline.

    For Windows you can try software like Spyware Doctor (sp?) or Avast which can detect most virus, trojans etc. But I'm no windows expert so there might be better ways...

    For Linux/Unix, try something like chkrootkit or rkhunter. Don't trust commands such as "ps" or "top" because a hacked server could have fake replacements. The easiest is to boot from a cd such as Knoppix and then scan your hardrive from there.

    I recommend you rebuild the server from scratch (as in re-format and reinstall OS etc) and then prepare it with some IDS tools and set up a nice firewall or two before putting it online again. IDS=intrusion detection tools. You can google for all these things.

    Make sure you keep your server up-to-date with the latest security patches..this is an ongoing thing so don't just leave your serverrunning without updating it.

    Good luck

  3. #3
    Join Date
    Apr 2003
    Location
    NC
    Posts
    3,080
    High server loads might just be a busy server. The portscanning does not sound good but are you sure it was coming from your server and not directed at it?

    As posted above rkhunter is a really good way to do a quick check to see if your system has been penetrated. Please note that simply because rkhunter shows you are all clean does not necessarily mean you are! It is possible to not have something show up. I would run it first though and see what happens.
    John W, CISSP, C|EH
    MS Information Security and Assurance
    ITEagleEye.com - Server Administration and Security
    Yawig.com - Managed VPS and Dedicated Servers with VIP Service

  4. #4
    Join Date
    Sep 2003
    Location
    London, UK
    Posts
    188
    I'm pretty sure it was my server, just had an email saying my server was trying to break into another systems ssh by brute force.

    I have and run both chkrootkit and rkhunter, portsentry and logsentry, nothing odd showed up.

    I'm at a loss to know what to check next.

    Thanks, Rob.
    Rob Johnston | LucidUK.com | [email protected]
    Who is Rob? boobear.co.uk
    MSN: [email protected] | AIM: rob at lucid

  5. #5
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,290
    your server may not be root compromised which is hwy the rootkit checkers are coming up negative, instead you could have an php script that was exploited and allowing an attacker to run portscaning/ssh bruteforce binarys/scripts though the apache user.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •