LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-15-2012, 11:54 AM   #16
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780

If you don't have any signs of a root level intrusion, then it is possible to perform a salvage operation. I would recommend the following course of action:
1 - Scour the logs for signs of root level action, which you apparently have done
2 - look for modified system binaries, using either RPM verify or debsums depending on your distribution
3 - Use the commands in the CERT checklist to find any other hidden files, root owned files with setuid, etc and verify that all of these are clean.
4 - look through the bash history and verify that cron tables have not been messed with.
5 - look at the output of lsof -Pwn and netstat -tanpe and make sure you don't have any processes you can't account for with open connections.

The above items should take you about an hour or two, but will be well worth the peace of mind that your compromise was limited. If all looks good, double check your web files for any modifications and or strange scripts (look at the mtime and ctime and use the find command to see if anything has been modified post suspect compromise time). Then make your cpanel backup. On the new host machine: one, if you haven't already make sure all of your server applications are up to date as this will be one of the key defenses against becoming re-compomised, two install some sort of active HIDS that will give you alerts as to whether or not there are system modifications. Then bring your web site up on line on these other machines. I would also highly recommend that you use .htaccess or vhost configuration to make any of you admin web control programs accessible only from a trusted host, or even from localhost and then use a certificate to require access to the site. Also consider using an application like mod_security or fail2ban to discourage brute force attempts against your system and if you notice a repeat IP address attempting to scan or gain entry to your system, consider blocking the IP or even the entire ISP, at least temporarilly.

Ultimately, you still need to try to determine what enabled file inclusion and execution of scripts on your system as the weekness could still be in your web stack that you are porting over.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
CentOS Weird behavior, Maybe I got hacked? [URGENT] AsadMoeen Linux - Server 10 03-01-2011 11:53 AM
Urgent: Server Hacked - please help stuartc1 Linux - Newbie 7 08-05-2006 01:47 PM
Urgent: Being hacked right now. Actions? prell Linux - Security 15 10-04-2004 08:34 AM
My Fedora HACKED :( [Urgent] Zi5 Linux - Security 3 06-06-2004 06:00 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:23 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration