[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] My VPS relay has just been hacked

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] My VPS relay has just been hacked
From: Nick Sheppard <nshep@xxxxxxxxxxxxx>
Date: Sun, 26 Oct 2014 20:14:16 +0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 26 Oct 2014 16:15:28 -0400
In-reply-to: <1414352812.1532592.183485713.63E7BA6D@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <544BB555.6080800@xxxxxxxxxxxxx> <544D4313.6070308@xxxxxxxxxxxxx> <1414352812.1532592.183485713.63E7BA6D@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.0

On 26/10/14 19:46, Geoff Down wrote:

Hello Nick,
I hop you don't mind a few pointers on this based on my experience of
hacked sites:
  When listing directories, use 'ls -alct' to show hidden files as well,
  and the ctime rather than the mtime - mtime is trivial to falsify.
When using 'ps', compare the process names with those given by running
(as root) 'lsof -p <processnum>' where <processnum> is the number of the
suspect process. The entries with 'txt' and 'cwd' in the fourth column
will let you see the files connected to the process, which can be useful
if a process is spoofing its name or the file that was run was deleted
by the process to try to cover its tracks. Entries with 'IPv4' in the
fifth column will show any network connections that processes have
opened up (visible on their own using 'lsof -i') in case the bot is
trying to call home.
  Regards,
Geoff

I don't mind at all! The more pointers the better! I'm new to VPSingand even newer to hack-hunting ... this is really useful.


Thanks again,
Nick
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

References:
- [tor-relays] My VPS relay has just been hacked
  - From: Nick Sheppard
- Re: [tor-relays] My VPS relay has just been hacked
  - From: Nick Sheppard
- Re: [tor-relays] My VPS relay has just been hacked
  - From: Geoff Down

Prev by Author: Re: [tor-relays] My VPS relay has just been hacked
Next by Author: Re: [tor-relays] exit node experience: abuse over HTTP, stealrat infection
Previous by thread: Re: [tor-relays] My VPS relay has just been hacked
Next by thread: Re: [tor-relays] My VPS relay has just been hacked
Index(es):
- Author
- Thread