Comments on: Hacked! Part 1 – The Surprise

By: Andrew Smith

Andrew Smith — Tue, 06 Oct 2009 00:37:24 +0000

Hi Doug. Unfortunately the best advice I can give you is scrap (format and reinstall) the box, and restore your web applications selectively, one by one. Finding exactly what app got broken into is difficult, but you’ll find clues by looking and file and process owners. I wish I could tell you it’s easy :)

By: Doug

Doug — Mon, 05 Oct 2009 18:07:54 +0000

Hey brother! I had the same problem, but my PIDs are from apache web server. How do you fix that? I think that something with the PHP and APACHE. Thanks lot! []s

By: John Selmys

John Selmys — Sun, 11 Jan 2009 16:14:21 +0000

That does it!
As soon as I get back from FUDCon I’m making backups.

By: Dejan

Dejan — Sun, 11 Jan 2009 12:05:34 +0000

Let us know more if you can find some clues. Don’t you have a firewall to block unneeded port numbers?

By: Chris Tyler

Chris Tyler — Sun, 11 Jan 2009 09:45:15 +0000

PPID==1 indicates that the parent process terminated and orphaned the process. Init contains code to reap dead children to prevent zombies.

As badly maligned as SELinux sometime is (usually by lazy or inflexible sysadmins), it drastically reduces the effectiveness of most attacks.

By: Cesar

Cesar — Sat, 10 Jan 2009 17:47:21 +0000

Exciting! Let us know more. I thought that maybe running sshd/vsftpd on different ports would help. It’s something I did a while back when I ran a server at home. But it sounds like someone was targeting your box, and would have probably done a more through scan. It’ll be interesting if you can find out how they got through.