Results 1 to 6 of 6
Thread: Is the box hacked?
-
06-14-2005, 12:19 PM #1Web Hosting Guru
- Join Date
- Aug 2004
- Location
- Tor-NY-BJ
- Posts
- 330
Is the box hacked?
Two weired things happened.
1 after I su, I usded Arrow Up key to use the previous command, and I saw "last | more" which I never used. I checked last | more but so no IP other than from where I log in. Since I have used Su many times, it can not be from the initial setup.
2 My Mem in Top has always been at least 20M regardless if there is hit on httpd or not. But one day suddenly it dropped to 10M. Since then, it always stays at 10M. So I wonder what made the Mem usage at 20M for 5 days then suddenly dropped back to 10M? Was it some process running in common name.
I have 2 requests:
1 How to check if the box is hacked?
2 How to check the FULL path of the program running in TOP, since it only give me the brife name of the program, such as httpd, sshd, cron. I am worried the hacker may name their programs as httpd too
-
06-14-2005, 12:57 PM #2Web Hosting Master
- Join Date
- Jul 2002
- Posts
- 1,443
ps -aux | grep programname
Synergy Blue LLC
SonataWeb.net | SynergyBlue.com
USA should so something about: http://www.brillig.com/debt_clock/
-
06-14-2005, 01:02 PM #3Web Hosting Master
- Join Date
- Nov 2004
- Location
- India
- Posts
- 1,104
Qllonceagain,
It's advisable to have your system admin to do a security audit ASAP.AssistanZ - Beyond Boundaries...
Cloudstack Consultancy / 24x7 Web Hosting Support / 24x7 Server Management / Infrastructure Management Services
Web & Mobile Apps Development / Web Designing Services / Php, Grails, Java Development
-
06-14-2005, 02:32 PM #4Web Hosting Master
- Join Date
- Jul 2002
- Posts
- 3,734
Use:
top -c
to get the whole command line.
-
06-15-2005, 02:56 AM #5Web Hosting Guru
- Join Date
- Mar 2003
- Location
- tail -f /var/log/nerd
- Posts
- 318
I just posted this 5 mins ago in another forum but install some root kit software and run it daily. Set up logwatch and look at your servers out put everyday.
Chkrootkit: http://www.chkrootkit.org
Root Kit Hunter: http://www.rootkit.nl/projects/rootkit_hunter.html
Install both of them and run them on a cron daily to email you the results.
If you are rooted then wipe the box and start fresh, it is the only way to be sure the hacker is out of your system.
Best of luck to you,
CMega Hosters Inc. - The Last Host You Will Ever Need!
Hsphere Control Panel, 24/7 Phone Support, EasyApp, Shared SSL, Daily Backups, Dedicated IPs, PHP4 & PHP5, FFMPEG, Legal Adult Content Allowed + More!
Treating A Customer The Way They Should Be Treated For Over 5.5 Years Now!
-
06-15-2005, 08:08 AM #6Newbie
- Join Date
- Sep 2003
- Posts
- 29
That is good advice. I would add that you can't count on the logs if the system has been compromised. Depending on what rootkit is running, you may not see anything unusual.
Remember - these days most of the "root"ers out there now are pretty invested in flying under the radar so they can keep the box around as a spamming machine or to host phishing sites.