Topic: Help please

[ADG]

Anyone interested in a bit of 'forensic investigation'?

Someone got into my web site ..

I'm a complete numpty about linux/internet and suspect that they got in because of something silly i've done, but I need to find out how they got in, what they've done and what I need to do to fix it.

if this interests you, send me an email at bron AT emailme.com.au .. i'd love some help.


Bron
(if this breaches forum rules, can you delete it?)

[mrjhb3]

Look in your /var/log/messages and see if you can spot something.  Search these forums for the unofficial update script and install some or all of the components.  I at least recommend the rkhunter then run it and see what it reports.

[ADG]

They deleted the /var/log directory and all subdirectories, do you know how to undelete in Linux?

[mrjhb3]

No, I sure don't, sorry.

[BoZz]

hmmmmmmmm time for a new box but you could install rkhunter which might show you what type of root kit was used. It can be found here http://mirror.contribs.org/smeserver/contribs/dthomas/smeserver/6.x/Contrib/rkhunter/smeserver-rkhunter-1.1.8-1.noarch.rpm

[guest22]

Please mail ALL security related issues to security AT contribs.org with as much details as possible.

Thanks,
RequestedDeletion

[ADG]

I am initially trying to undelete the security logs, not sure if that will work though as i've rebooted the server already.  But today i'm going to drag the hdd out and put it in a Windows box and see whether I can get anything back.

I have nothing at the moment that indicates how they got in or what they did other than change the index.*'s on the site and delete the log files.