[H-GEN] apache2 compromised or just attempts?
Troy Piggins
troy at piggo.com
Sun May 28 21:11:02 EDT 2006
* Ted Percival <ted at midg3t.net> :
>
> You could start with the chkrootkit and rkhunter tools (available
> packaged in Debian, so probably also in Ubuntu). I think the general
> course of action once a machine has been rooted is to wipe it clean and
> start with a fresh install from trusted media, though.
>
> Other things you can do include setting up iptables rules to block
> outgoing connections to common IRCD ports (6667/tcp, for instance) or
> disconnecting the machine from all networks.
>
> Just remember your kernel and iptables binaries could be rooted, too.
> The only safe action is to reinstall the machine from scratch, don't
> forget to use different passwords for your accounts.
>
> IANASP ;) [ SP = Security Professional ]
>
> -Ted
>
> Troy Piggins wrote:
> > I've since found out that it's a horde 3 vulnerability - well that's the likely
> > candidate at the moment.
> >
> > I've uninstalled it, but how do I stop those irc servers.
Thanks. Reinstalling tonight after backup. I wanna get these guys...
--
Troy Piggins
,-o Ubuntu v5.10 (Breezy Badger): kernel 2.6.12-10-k7,
o ) postfix 2.2.4, procmail 3.22, mutt 1.5.11i,
`-o slrn 0.9.8.1/rt (score_color patch), vim 7.0
More information about the General
mailing list