homepage Welcome to WebmasterWorld Guest from 54.237.71.86
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
Forum Library, Charter, Moderators: bakedjake

Linux, Unix, and *nix like Operating Systems Forum

    
DDOS hacked my server to attack other server
kittychuk




msg:907085
 1:40 pm on Sep 19, 2005 (gmt 0)

Dear All,

I'm server owner. I have received the complain email from my data center. They said that my server attack other server(DDOS).
Maybe someone hack my server to install software to control my server.How can I check it?

BR
Kitty

 

StupidScript




msg:907086
 6:16 pm on Sep 19, 2005 (gmt 0)

Can you log into your server? If so, it hasn't been completely taken over. You may be in a heap of trouble anyway, though. Once someone has compromised your machine, the only reliable fix is to wipe it out and start over. Back up all of your content files first!

What type of server are you running?

AbsintheSyringe




msg:907087
 10:03 pm on Sep 19, 2005 (gmt 0)

Well easiest way to check what was your server was doing is by checking "/var/log/messages" and definetely "netstat"

"finger" to see if anyone's on the the server, use "w" ("top" is even better) to check all their processes. Also use "ps xu" to see all existing processes on the server. So basically this is all you need.

StupidScript




msg:907088
 4:52 pm on Sep 20, 2005 (gmt 0)

If indeed it's a 'Nix box. There are similar tools available for MS boxes.

Keep in mind, too, that most rootkits (if one is installed) will mess with the top and ps output, along with removing info from wtmp and cleaning out traces from the normal log files, like /var/log/messages.

If your system has been compromised and taken over completely, you won't be able to do anything but reboot, if that. If it's being used to mount attacks without having been completely taken over, you can probably see the activity by using top or ps aux, but you may be too late to stop it without reinstalling the OS ... you simply cannot tell which system files have been replaced with bogus ones unless you already had in place some mechanism for doing so. If they're compromised now, you won't be able to tell. File timestamps, permissions, all of that can be forged or appropriated.

We really need more details about your server before we can offer any specific advice, like what operating system and version it's running.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved