 |
Linode Forum
Linode Community Forums
|
| Author |
Message |
Karnius
Joined: 18 Dec 2008
Posts: 27
|
| Posted: Thu Feb 11, 2010 6:31 pm Post subject: server hacked, need help |
|
|
Hi guys, à
My server has been hacked, I did a netstats and my server is attempting to contacts ftps around the world every 30 seconds,
I changed my root account, I most likely got the gumblar virus, how can I stop this thing ?!
Is that a cron job? |
|
| Back to top |
|
anderiv
Joined: 27 Apr 2004
Posts: 179
|
| Posted: Thu Feb 11, 2010 10:23 pm Post subject: Re: server hacked, need help |
|
|
Karnius wrote: Hi guys, à
My server has been hacked, I did a netstats and my server is attempting to contacts ftps around the world every 30 seconds,
I changed my root account, I most likely got the gumblar virus, how can I stop this thing ?!
Is that a cron job?
1. Shut it down now.
2. Take an image of it for future forensic investigation.
3. Rebuild from scratch or from a known-good backup.
That's really all you can do when you get rooted, as you, in most circumstances, have no way of knowing what exactly the perpetrator did to your server. |
|
| Back to top |
|
funkytastic
Joined: 10 Aug 2008
Posts: 76
Location: ~$
|
| Posted: Thu Feb 11, 2010 10:54 pm Post subject: |
|
|
| It's worth mentioning that gumblar propagates by infecting Windows machines with malware that steal stored passwords for FTP programs, Dreamweaver and such. So make sure you've changed your passwords and disinfected any Windows machines where you stored them, before rebuilding the server. |
|
| Back to top |
|
| |
|