Re: Server Hacked

[Brian C <brianwc@xxxxxxxxxxxxxxxx>]

ADB wrote:
> I doubt it. What services were/are you running? Did you use grsecurity
> or SELinux?

I wasn't using either of those. I did run Bastille and snort. The server
ran apache, postfix, bind, mysql, b2evolution, phpbb, tor, ssh, vsftp
(for internal lan use only), and probably some other things.

I stopped paying close attention to port scans after making it a tor
server. http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#Portscans

I don't see which files have been tampered with yet. (That's the scary
part.) It seems like without tampering with the actual locations that
apache points to on my drive the hacker redirects all my sites to the
same defacement message.

I believe I'm going to have to make copies of my various configuration
files and do a fresh install of the entire OS.

Brian

> Brian C wrote:
> 
>> My Debian server has been hacked. Every web page I hosted now reads:
>>
>> "XTech Inc Was Here :D"
>> XTech Inc we are: Status-x & PABLIN77
>> uid=0(XTech Inc) gid=0(XTech Inc) groups=0(XTech Inc)
>> Pablin77: MARY TE AMO!!!!!!
>>
>> Powered by XTech Inc / PABLIN77
>> Made in ARGENTINA - pablin_77@xxxxxxxxxxxxx
>>
>> I run Debian-testing and generally stay on top of updates. I do run a
>> few too many services on that server though. I wonder if my recent
>> addition of making it a tor server is what brought my humble server to
>> these jerks attention? I've little experience with recovering from this,
>> so any advice on what steps to take from here, what log files are
>> relevant, etc. would be greatly appreciated.
>>
>> Brian
>>
>>
>>
>>  
>>
> 
>