Results 11 to 13 of 13
Enjoy an ad free experience by logging in. Not a member yet? Register.
03-18-2010 #11linux user # 503963
Did you allow anonymous access to your FTP server? Or any weak passworded accounts on FTP / SSh?
Have you run a full nmap on yourself to make sure that no other ports have been opened?
Have you examined output of netstat -a or tcpdump to make sure theres nothing illegitimate attempting to connect out?
Running the following command (or Debian equiv with sudo) will highlight any files with SUID or SGID of root which can be potential backdoors:
find / -type f \( -perm /4000 -a -user root \) -ls -o \( -perm /2000 -a -group root \) -ls
Maybe also have a look at chkrootkit.
As for finding the original attack vector - if you really want to get into it I'd take a full image of the disk for forensic examination that we can really go into and then re-build the live system.
i believe the system has been tampered with too much to make a forensic image that would be worthwhile. In the future, you shouldn't move files, etc. as this can cause would to lose evidence.linux user # 503963