Hi all,

I have been running a fedora C2 webserver at home for a while just to host some family photos and what not.. Last night it was hacked? All directorys are now GONE!! I do have a backup but would like to find an address of the attacker.. how would I go about finding this ?

Thanks in advance.
Jek.

First off, make sure it is a hacker, and that your HD didn't fail or anything similar. However, I suppose you could look at network logs for suspicious activity if you have them somewhere.

Second if all directory where gone only root could do this.

NO MATTER WHAT HANGS ON THE INTERNET IT NEEDS TO BE SECURED AND UPDATED AT A DAY BASES IF NOT 24/7

If you dont know what youre doing make sure you find out ASAP.

All main distro are at default not so mega secure as man may think.

Examples some service should not be on at default ssh should not run at v1 and a choice for running no firewall is stupid, login thru root thru ssh and so on.

i think you had it on the internet with a ssh port open and a bloody simpel password like god ;-( dont make users like test with password test
if you do youre fucked for sure within 30 days.

This is not a flame i realy hope you will learn from it and make sure it wont happen again.
Makes the world much saver.

Use the basic rules :

use long and no simpel passwords
close ssh for v1 and use allow user .... (no root)
use chkconfig --level 345 yum on
update at daily bases auto
check logs
etc etc look it up.

did you know there are in the world every 1 second 2 attacks on major systems of the internet.
This is mainly done thru a machine that was hacked like yours.
I think the hacker (script kiddie) screwed up his own script :-)


On my webserver i get 40.000 hack attemps on my ssh only a WEEK if i installed FC basic.
with help of tools like portsentry etc etc it is reduced to under 10 mostly 0


But youre server could be used if hacked to take part of a DDOS atack on the whitehouse, NASA, or in our country the dutch goverment internet sites.

If this happens youre provider must take youre DSL connection offlline and this is costing you money so that why in typing the whole to long story ;-)

all comes to 1 thing MONEY

Be safe and ask if you dont know we can help you

Thanks for the reply.. I always update, I admit I need to know more about it.

I do however want to know how to find the logs though.. Is it possible ?

What exactly is gone, and if it's everything from
underneath /var/log are you sure you didn't accidentally
clean it up yourself?


Cheers,
Tink

Honestly,

I think being a PC tech for a living I would know if I DELETED my entire WWW directory.

It was there last night, when I got up today it's gone.

Usually the logs are in /var/log/secure or /var/log/messages
Good luck I hope you find some info.

Thank you very much.