Some resources for determining whether you've been hacked, suggestions for recovering and preventing a recurrence.

See AboutThesePages.

Contents

Notes

From Chris Palmer on Bltnewuser@basiclinuxPLEASENOSPAM.net, around 1 Apr 2002 (IIUC, the numbers are port numbers (or are they process numbers?)):

• 978 ./srape Srape is a perl script which sends tcp with no flags set and causes the victim to reply with rst packets. Seems to be more effective than a syn attack and harder to filter. See http://packetstormsecurity.nl/DoS/

• 980 ./krush sends spoofed igmp packets with random codes/types set. Raises the CPU average on many machines, including routers. See http://packetstorm.widexs.nl/DoS/

• 991 tar -zxvf 7350cfingerd-0.0.4.tar.gz remote root format string exploit. See http://packetstorm.widexs.nl/groups/teso/

Looks like your server was being setup as a DDoS bot.

Resources

See ResourceRecommendations. Feel free to add additional resources to these lists, but please follow the guidelines on ResourceRecommendations including ResourceRecommendations#Guidelines_for_Rating_Resources.

Recommended

• (rhk) Re: HACKED?; J. Craig Woods; 06/27/2002 -- actually, it's the next post in this thread (by James) that seems to be helpful -- it wasn't yet in the archives when I went to find it.

Recommended for Specific Needs

• (rhk) [[][]] --

Recommended by Others

• (rhk) chkrootkit --

No Recommendation

• (rhk) [[][]] --

Not Recommended

• (rhk) [[][]] --

Contributors

• () RandyKramer - 28 Jun 2002
• <If you edit this page: add your name here; move this to the next line; and include your comment marker (initials), if you have created one, in parenthesis before your WikiName.>

[[Main.RandyKramer#28 Jun 2002][]]

Page Ratings