Re: [seul-edu] Server hacked via FTP hack... need help...

[Doug Loss <drloss@suscom.net>]

Cameron Miller wrote:

> Ryan Booz wrote:
>
> > it.  Any suggestions on how I can get this stuff corrected and get ssh
> > back up and running?
> >
> > thank you for the time and help.  If there's a place anyone could direct
> > me instead, that's fine...
> >
>
> Upload a known good copy of SSHD and fire it up on a custom port.  You
> may want to make that a static linked executable if you have the time.
> Can you issue a kill command from webmin to take out the offending SSHD?
>   Then you wouldn't need to specify a custom port.
>
> If sshd has been replaced, netstat and other system commands probably
> are also.

You should also go to http://www.chkrootkit.org/ and download chkrootkit.  To
run it most confidently, you should follow these instructions:

*  Can I trust these commands on a compromised machine?

Probably not. We suggest you follow one of the alternatives below:

   1. Use the `-p path' option to supply an alternate path to binaries you
trust:

# ./chkrootkit -p /cdrom/bin


   2. Mount the compromised machine's disk on a machine you trust and specify
a new rootdir with the `-r rootdir' option:

# ./chkrootkit -r /mnt

Of couse, this will just help find the extent of the compromise, not recover
from it.  For that you'll need to reinstall all the compromised files.  In my
experience, it's usually best to back off whatever absolutely-required data
are on the system and do a fresh install from the metal up.

--
Doug Loss                 All I want is a warm bed
Data Network Coordinator  and a kind word and
Bloomsburg University     unlimited power.
dloss@bloomu.edu                Ashleigh Brilliant