I've been hacked; what to do next?

Question

I've been hacked; what to do next?

general

forum:gmt 17 years, 2 months ago

I went one one of my Mambo/php sites, instead of the usual stuff I found "HaCKeD By BeLa & BodyguarD (Turkish Hackers)". This is a PHP site and and I found a new index.html dated Jan 31.

It looks like they are very busy

http://www.google.com/search?q=bela+bodyguard

http://www.google.com/search?q=mambo+bela+bodyguard

This could be just a Mambo PHP hack (not so bad), or a full rookit (very bad). Suspecting a root kit, I installed chkrootkit & it shows:

Checking `lkm'… You have 57 process hidden for ps command

chkproc: Warning: Possible LKM Trojan installed

This does not sound good. I dont know if this is a false positive because of UML or a real rootkit. I have standard Redhat 9 running for 3 years, all passwords are mine an alpha-numeric, firehol is used as the firewall. I'm currently backing up everything using rsync.

So where do I go from here? I have no idea how this was done, they didn't seem to vandalise anything just show their presence. I suppose I will have to start again with a new distro and rebuild from scratch.

2 Replies

forum:Xan · Answer 1 · Feb. 3, 2007, 1:04 a.m.

forum:Xan 17 years, 2 months ago

Sounds bad. I'd wipe and start over, in your shoes. Not sure you can really trust anything on the system.

I've never seen a UML-caused chkrootkit false positive.

forum:razza · Answer 2 · Feb. 5, 2007, 12:56 a.m.

forum:razza 17 years, 2 months ago

Yep I run a few rootkit scanners when I do a server audit once in awhile I've never gotten a false positive regarding running processes.

Compute

Storage

Databases

Networking

Developer Tools

Delivery

Security

Services

Industries

Pricing

Community

Engage With Us

I've been hacked; what to do next?

2 Replies

Reply

Tips: