[H-GEN] apache2 compromised or just attempts?

Troy Piggins troy at piggo.com
Sun May 28 21:11:02 EDT 2006


* Ted Percival <ted at midg3t.net> :
> 
> You could start with the chkrootkit and rkhunter tools (available
> packaged in Debian, so probably also in Ubuntu). I think the general
> course of action once a machine has been rooted is to wipe it clean and
> start with a fresh install from trusted media, though.
> 
> Other things you can do include setting up iptables rules to block
> outgoing connections to common IRCD ports (6667/tcp, for instance) or
> disconnecting the machine from all networks.
> 
> Just remember your kernel and iptables binaries could be rooted, too.
> The only safe action is to reinstall the machine from scratch, don't
> forget to use different passwords for your accounts.
> 
> IANASP ;) [ SP = Security Professional ]
> 
> -Ted
> 
> Troy Piggins wrote:
> > I've since found out that it's a horde 3 vulnerability - well that's the likely
> > candidate at the moment.
> > 
> > I've uninstalled it, but how do I stop those irc servers.

Thanks.  Reinstalling tonight after backup.  I wanna get these guys...

-- 
Troy Piggins
  ,-o    Ubuntu v5.10 (Breezy Badger): kernel 2.6.12-10-k7,
 o   )   postfix 2.2.4, procmail 3.22, mutt 1.5.11i,
  `-o    slrn 0.9.8.1/rt (score_color patch), vim 7.0




More information about the General mailing list