Quote:
Originally Posted by sureshkumar.challa
So if any one access my files/directories immediatly notify through mail to me. So can you please tell any way to solve this problem.
|
As you've gathered from responses this is not the "problem" to focus on. Focus on mitigating the effects of the attack and solving the breach of security first.
Quote:
Originally Posted by sureshkumar.challa
(..) I was maintaining some servers. Last week it was hacked. Some one access my server and edit one directory and add some files into that directory.
|
"Last week" is too long ago. Act now!
- Before you do anything else please first read the
CERT Intruder Detection Checklist. While old it may still show you actions to perform in case you don't know what to do.
- notify users of systems under investigation they should change their keys / pass phrases and avoid using these system because they're suspected to be compromised,
- mitigate the situation by stopping non-vital services (you need SSH to get in, not Apache, MySQL, FTP or any R-services) or denying access to those services by raising the firewall,
- after stabilizing either prepare /etc, /tmp, /var/tmp, /home and /var backups for future reference and start providing new properly secured and hardened server(s) if continuity must be guaranteed or start your investigation.
We need to know a few things about the (perceived) compromised machines:
- Where are they located? (home, colocation, shared hosting, vps, cloud, etc)
- The date of the incident?
- What
exact distro + release + kernel (*If you run Ubuntu 12.04 then you must be running Ubuntu 12.04
.2 LTS as that's the current Long Term Support release),
- What is their purpose? (What services do they run / provide) *Note also take into account software running on top of the web server like CMSes, web logs, shopping carts, photo galleries, statistics packages and anything else including 3rd party plugins,
- What do system, daemon and firewall logs show?
- Was all software kept up to date?
- Were these machines hardened?
- What do audit (Samhain, Logwatch, etc, etc), auth (last, lastb, lastlog) and IDS data (Snort, Bro, Prelude, etc, etc if any) show?
- Exactly what files did you find, where did you find them and what was ownership / access rights and MAC times (see 'stat')?
- Have you checked user shell history files?
Please be verbose when you reply because the more nfo we have the better advice can be tailored.