[BNM] hacking...

Antony Jones antonyj at gamesys.co.uk
Mon Nov 5 10:10:41 GMT 2007 

> You did completely re-install the server, not just fix the hole -
> presuming you know how they got access in the first place? Once you've
> been compromised you can't trust that backdoors/rootkits etc haven't
> been installed. Wipe the machine, re-install, start from scratch.

When it happened to me they forgot to wipe .bash_history, so I just read
through all the steps they took and examined what their 'rootkit' did.

I too reinstalled though, they'd written over things like netstat and
/bin/bash with custom versions which were obviously hiding/logging
things.

Antony Jones
Developer
 
Gamesys Limited
e: antonyj at gamesys.co.uk
t: 0207 478 8103
a: 1st Floor, 54-62 Regent Street, LONDON, W1B 5RE
 
Save trees and protect the environment - think before you print this
email!

> -----Original Message-----
> From: bnmlist-bounces at brightonnewmedia.org [mailto:bnmlist-
> bounces at brightonnewmedia.org] On Behalf Of Jay Caines-Gooby
> Sent: 05 November 2007 10:04
> To: Brighton New Media
> Subject: Re: [BNM] hacking...
> 
> On 11/4/07, Simon Early <simon.early at gmail.com> wrote:
> > some time ago we had our main site hacked by some little shit in the
USA
> and
> > he caused havoc.
> 
> You did completely re-install the server, not just fix the hole -
> presuming you know how they got access in the first place? Once you've
> been compromised you can't trust that backdoors/rootkits etc haven't
> been installed. Wipe the machine, re-install, start from scratch.
> 
> Did you store credit card numbers and/or passwords in plaintext in
> your database? Better inform the relevant customers if so. Better
> re-set their password also.
> 
> Was the machine a windows or unix box?
> 
> --
> Jay Caines-Gooby
> jay at gooby.org
> +44 (0)7956 182625
> skype: jaygooby
> gtalk: jaygooby at gmail.com
> AIM: jaygooby
> --
> 
> BNM Subscribe/Unsubscribe:
> http://www.brightonnewmedia.org/options/bnmlist
> 
> List jobs for 10 pounds on Sussex Digital. Use promo code bnm10
> http://jobs.sussexdigital.com/
> 
> Join BNM on Linkedin -
http://www.linkedin.com/e/gis/23805/5841CA3F0360
> 
> BNM powered by Wessex Networks:
> http://www.wessexnetworks.com

More information about the BNMlist mailing list. Powered by Wessex Networks