Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
RE: [suse-security] ver7.2 server was hacked - pls help
From: Mario Neubert (mario_neubertgmx.de)
Date: Wed Apr 23 2003 - 03:51:53 CDT
you can boot from your susecd in rescue-mode, mount your drives and now
you should see what happend.
> -----Original Message-----
> From: Istvan Hollo [mailto:istvan.holloija.hu]
> Sent: Wednesday, April 23, 2003 7:32 PM
> To: suse-securitysuse.com
> Subject: [suse-security] ver7.2 server was hacked - pls help
> Hello Guru's,
> On the weekend our web server (SuSE 7.2 kernel 2.4.4-4GB) was
> hacked by some very clever guys.
> They placed some programs which i can not remove anymore and
> which is even worse - the root's password also was changed (I
> can not start in single user mode - init 1 - password is
> wrong). A "sysadmin" user was created by the hacker and mtab
> also was changed.
> When i try to login and type the username than Enter -> the
> "pasword" question is not coming but the screen is hanging.
> It means we can not log in anymore. Which is interesting,
> this is our mail server also and we can send/receive mails
> but via samba is not possible to connect to the shared drives.
> I'm afraid i have to reinstall the machine, but before i do
> it want to know what and how happened.
> If someone of you experienced with this and could give good
> advices about what to do and how i can analyse who logged it
> would be appreciated.
> Istvan HOLLO
> GlobalTech Hungary Informatikai Kft.
> phone : +36 28 590 500
> fax : +36 28 590 501
> email : istvan.holloija.hu
> www : www.thegt.com www.ija.hu
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here