Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 12
Hello everyone, someone has uploaded the atd.tgz to my server. how do i know if any damage is done already? what can i do to fix the problem and prevent ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Sep 2006
    Posts
    19

    Help with atd.tgz


    Hello everyone,

    someone has uploaded the atd.tgz to my server. how do i know if any damage is done already? what can i do to fix the problem and prevent further damage?

    thanks

  2. #2
    Linux Guru smolloy's Avatar
    Join Date
    Apr 2005
    Location
    CA, but from N.Ireland
    Posts
    2,414
    With an attack like this, you can't be sure what else is infected, so, unfortunately, my advice is to reinstall the OS, and rebuild from backups that were made before you were attacked. That last part is important -- don't use any backups that you made after your machine was compromised.

    Sorry you got cracked. That sucks
    Registered Linux user #388328 || Registered LFS user #15880
    AMD 64 X2 4600+ :: 2X1GB DDR2 800 :: GeForce 9400 GT 512MB :: ASUS M2N32 Deluxe :: 4X250GB SATAII
    Need instant help? Try us on IRC -- #linuxforums on freenode

  3. #3
    Just Joined!
    Join Date
    Sep 2006
    Posts
    19
    is there anyway to check if my files are not infected? or is there anyway to fix it?

    thanks

  4. #4
    Linux Guru smolloy's Avatar
    Join Date
    Apr 2005
    Location
    CA, but from N.Ireland
    Posts
    2,414
    rkhunter or chkrootkit might be able to find it, but, unless you've already run one of these, it might be disguised from it.

    As far as I can tell from googling, this will infect all the executables you have permission to edit (which is all of them if this was run as root), and it runs some cracking scripts as the apache user. It's busily scanning other machines to try to infect them as well, so you might be putting other servers at risk by keeping yours online.

    That's all I know. Sorry.
    Registered Linux user #388328 || Registered LFS user #15880
    AMD 64 X2 4600+ :: 2X1GB DDR2 800 :: GeForce 9400 GT 512MB :: ASUS M2N32 Deluxe :: 4X250GB SATAII
    Need instant help? Try us on IRC -- #linuxforums on freenode

  5. #5
    Linux Enthusiast L4Linux's Avatar
    Join Date
    Sep 2008
    Location
    Greece
    Posts
    583
    After you reinstall, you should consider installing tripwire.
    It generates hash values for all important files, so you can find out if any of them have been changed.
    (Of course, you have to keep a backup of the results in a seperate media, like a cd, after the first run)
    It also has a commercial version.

  6. #6
    Just Joined!
    Join Date
    Sep 2006
    Posts
    19
    anything i could do to check if my machine is already infected? he uploaded it as a user, not root

  7. #7
    Linux Guru smolloy's Avatar
    Join Date
    Apr 2005
    Location
    CA, but from N.Ireland
    Posts
    2,414
    Like I said, you could install and run rkhunter, but I don't know how you can be sure that he didn't do something that you can't find. I think (just my opinion) that it's simply too risky not to format and reinstall the OS.

    I know this is bad news, and I'm sorry for this, but I think it's the only way to be sure.
    Registered Linux user #388328 || Registered LFS user #15880
    AMD 64 X2 4600+ :: 2X1GB DDR2 800 :: GeForce 9400 GT 512MB :: ASUS M2N32 Deluxe :: 4X250GB SATAII
    Need instant help? Try us on IRC -- #linuxforums on freenode

  8. #8
    Just Joined!
    Join Date
    Sep 2006
    Posts
    19
    thanks everyone, i am planning to format and reinstall.

    how should i do the backup? what kind of files are safe/not safe to be backup?

    edited: also, how should I do the format to make sure my hd is clean?

    will it also affect my two MS windows xp machines that are connected to my server? my server is a router for them.

  9. #9
    Linux Guru smolloy's Avatar
    Join Date
    Apr 2005
    Location
    CA, but from N.Ireland
    Posts
    2,414
    You shouldn't back up now, as it's impossible to be sure what files are infected. Use an old backup you made from before the attack (you do have backups, don't you!?).

    Reinstalling over the top of the old OS will make sure that everything is deleted.

    Your Windows machines aren't likely to be affected, but a virus scan is probably a good idea.
    Registered Linux user #388328 || Registered LFS user #15880
    AMD 64 X2 4600+ :: 2X1GB DDR2 800 :: GeForce 9400 GT 512MB :: ASUS M2N32 Deluxe :: 4X250GB SATAII
    Need instant help? Try us on IRC -- #linuxforums on freenode

  10. #10
    Just Joined!
    Join Date
    Sep 2006
    Posts
    19
    thanks smoolloy, my concern is that I have some pictures, music, doc and video that are created recently. how could I make sure that are not infected? is there any scanner could find it out?

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •