[Ilugc] Intruders cracked my Server
- From: knura@xxxxxxxxx (Arun Khan)
- Date: Fri Jun 20 00:41:07 2008
On Friday 20 Jun 2008, Thanigairajan murugan wrote:
I think my root password should be the problem (admin123) which is a
dict word and crackers has done their job easily.
Welcome to the school of hard knocks. With such a password, you
deserved what happened to you.
They create a user named "oracle" and they create a directory named "
bot " and some files and some scripts
I hope you have not left the system in this state and online. Suggest a
fresh install.
Lesson Learned :
1)Password should be strong.
2)Allow ssh from known ips only.
or hostnames e.g. dyndns services. make sure the hostname is updated to
current ip.
3)Have to take bare metal backup after installing the system , for
quick restore 4)Install and monitor any intrusion detection system
Use tripwire/aide to create file signature db and store the db on a ro
media only. When compared it will tell you the files touched by the
intruder.
-- Arun Khan
Other related posts: