Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IIS web server hacked..any tips?

From: Dave Dodge <dododge () dododge net>
Date: Thu, 16 Dec 2004 17:21:42 -0500
On Thu, Dec 16, 2004 at 12:08:50PM -0500, Valdis.Kletnieks () vt edu wrote:

What percentage of attackers have half a brain? ;)


As an example, the one I ran into this Summer:

  - tried to hide his own sshd by calling it /bin/sendmail and
    listening on port 322 -- but left its syslog logging enabled, so
    in /var/log/messages there was a detailed list of who, when, and
    from where the logins occurred.

  - left his complete command list from a couple of logins in
    root's bash history.

  - the rootkit he used managed to screw up the system so badly that
    most desktop applications and some command-line tools (such as
    "top") wouldn't even start due to library mismatches.

That said, I still rebuilt the machine from scratch rather than
just repairing the damage.

                                                  -Dave Dodge
Previous By Date Next
Previous By Thread Next

Current thread: