I suspect my linux server is hacked. What should i do ??
I suspect that my linux server (redhat 7.2) is hacked. The root pwd is changed, ps command displays "segmentation fault", w cmd shows no user but i have been login one console.
I use the old kernel ( 2.4.18-xx) because trendmicro must use this old kernel version.
What should i do ??
I'm no sercurity expert, but i would start with unSpawn's sticky at the top of this forum.
Edit: Wrong url
Disconnect it from the net, reboot from CDROM into rescue mode to reset the root password.
Have you other machines with the same passwords ?
Then look if files got changed.
To get sure it is no fault in the filesystem run fsck.
If you believe your system is cracked, the only solution is to reformat and install the OS again. If you have time at hand, you can venture into finding how your system got cracked.
unspawn had commented in detail on a very recent hack-incident reported on this forum.
Although this may not directly relate to you, you can pick up pointers on how to go about getting back to normal.
If you just want your system up again, backup your important data (but be sure they are not affected by this incident) and reformat and reinstall the OS.
Thanks all replies.
I don't know why someone can enter my server. The ports of server are blocked except 443, 80, 7010, 14942(trendmicro used). Also, this server is located in DMZ. How does someone hack my server ?? This is my second time for this situation !!
Moreover, i use chkrootkit to check my system in order to find "special " file but thers is no file found. Why ? Why ??
try rkhunter too.
Again, read unSpawn's post - the one I pointed you to earlier on this post.
Changing the locations of a few files / renaming them is enough to hide from such rootkit checks.
to check whether there are unknown processes that are running.
Again you cannot be sure about the authenticity of the output of those commands as those commands may themselves been compromised.
I have tried rkhunter but it fail to install into server.
I also try both "netstat -lpa " and "lsof -P" but i don' know how to detinguish which process is suspected.
my server is under production. i can't reinstall server until mid of July.
Whay should I do ??
|All times are GMT -5. The time now is 03:13 PM.|