[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] My VPS relay has just been hacked

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] My VPS relay has just been hacked
From: Geoff Down <geoffdown@xxxxxxxxxxxx>
Date: Sun, 26 Oct 2014 19:46:52 +0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 26 Oct 2014 15:47:08 -0400
Dkim-signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=fastmail.net; h= message-id:x-sasl-enc:from:to:mime-version :content-transfer-encoding:content-type:subject:date:in-reply-to :references; s=mesmtp; bh=fYps3DGclyFs+mt5gAxOX6Br5Jo=; b=lw/aRC lJCADmofxV0TOMkL3OhxRSPBwFj+rrXKTGi387y7x1YbjPtmRknjq2gxj+ZxjSIs kQREljqdLaWanmHU1uuJL2IVs5iu/ypGegYY56urqSchTkC8ykblMge8nRYuxqd5 Fy44dDObz95bJKi5MBYKU7cJmT+Q/890y0iv8=
Dkim-signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:x-sasl-enc:from:to :mime-version:content-transfer-encoding:content-type:subject :date:in-reply-to:references; s=smtpout; bh=fYps3DGclyFs+mt5gAxO X6Br5Jo=; b=qJM/QNaWMUNZA/skFXdc/Znv3KymzAuMwjtLV4RvhXdX3aS9Nnu/ wleuJH5RVVMzR9kz8/IPNE5y630I2R9dzUrjlVK2364z18Uu8ReoKGUK56iZpzii SmclgWK+3JGlEfoAXVk4Umz0t1624lDXearh6WZhr8FPwdSkiqpg61I=
In-reply-to: <544D4313.6070308@xxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <544BB555.6080800@xxxxxxxxxxxxx> <544D4313.6070308@xxxxxxxxxxxxx>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

Hello Nick,
I hop you don't mind a few pointers on this based on my experience of
hacked sites:
 When listing directories, use 'ls -alct' to show hidden files as well,
 and the ctime rather than the mtime - mtime is trivial to falsify.
When using 'ps', compare the process names with those given by running
(as root) 'lsof -p <processnum>' where <processnum> is the number of the
suspect process. The entries with 'txt' and 'cwd' in the fourth column
will let you see the files connected to the process, which can be useful
if a process is spoofing its name or the file that was run was deleted
by the process to try to cover its tracks. Entries with 'IPv4' in the
fifth column will show any network connections that processes have
opened up (visible on their own using 'lsof -i') in case the bot is
trying to call home.
 Regards,
Geoff

-- 
http://www.fastmail.fm - Faster than the air-speed velocity of an
                          unladen european swallow

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] My VPS relay has just been hacked
  - From: Nick Sheppard

References:
- [tor-relays] My VPS relay has just been hacked
  - From: Nick Sheppard
- Re: [tor-relays] My VPS relay has just been hacked
  - From: Nick Sheppard

Prev by Author: [tor-relays] tor-relays set on nokia n900
Next by Author: Re: [tor-relays] obfsproxy not working on bridge relay
Previous by thread: Re: [tor-relays] My VPS relay has just been hacked
Next by thread: Re: [tor-relays] My VPS relay has just been hacked
Index(es):
- Author
- Thread