[Dshield] team amber alert server compromised

Family Beistle beistle_jr at hotmail.com
Sat Aug 19 23:23:32 GMT 2006

I am just now logged into the server but have made no changes ... I am trying to preserve all that I can for evidence in the remote hope this perp can get jail time ... Server is not root compromised. There is an ebay fraud site running from /tmp a back door shell running from /var/tmp and a ssh scanner/udpflooder running from /dev/shm.
If there is a good time to call I have unlimited long distance in the usa. I use plesk reloaded 7 and putty ssh to access ... Ev1 is pressing me to finish soon ... I am going into Plesk to stop some services not sure which one first and have a storm over head ...

> From: marshm at anycast.net> To: list at lists.dshield.org> Date: Sat, 19 Aug 2006 18:51:33 -0400> Subject: Re: [Dshield] team amber alert server compromised> > Jim,> > First, there are *plenty* of good open source tools for keeping any Linux> server secure.> > Second, please contact me directly to outline a path to preserving your> existing HD for forensic evidence.> > Gene Marsh>  > > -----Original Message-----> From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]> On Behalf Of Family Beistle> Sent: Saturday, August 19, 2006 3:04 PM> To: list at lists.dshield.org> Subject: [Dshield] team amber alert server compromised> > Team Amber Alert is a non profit public charity ... My linux server was> taken over ... I am in need of advice how to preserve the HD image to> download it for forensic review prior to reload ... Ev1 was not very> informative as they did not want to give advice to incur liability ... I am> in hopes some one could donate time to help trak down these hacks and> scripters ... For now I am in damage control  to determine level and swift> measure to follow to restore secure services once again for now I am> preparing to slave the HD and place new restore on the virgin HD /... What> to do with the poisoned HD and how to preserve the evidence to have if I can> bring them to justice ... for now I am dealing with the exposed server and> the lack of reasonable open source tools for Linux Servers to remain secure> ... thank for Dshield and all who comment ... The is a notice that any who> were attacked by our ip please advise and preserve copies of the material> etc please let me know  ... at this point I have no clue the type of> compromise but that a tmp folder was opened and operating code ... had had> disabled that so I believe the whole server must be compromised passwords> and all ... I will be offline shortly to stop further attacks while I clean> up.>  > Jim Beistle> 806 853 9400> TeamAmberAlert.Net> Msnx.Net> red hat linux server at EV1> _________________________________________________________________> Try Live.com: where your online world comes together - with news, sports,> weather, and much more.> http://www.live.com/getstarted> _________________________________________> > SANS Network Security 2006 - Las Vegas NV October 1st-9th.> Wide selection of 1-6 Day Courses. Top Instructors!  > > Details: isc.sans.org/clickcount.php?ad=1 (use Brochurcode "ISC")> > "Best IT Security return on Investment" (Mario Chiock, Schlumberger)> _______________________________________________> > > --> No virus found in this incoming message.> Checked by AVG Free Edition.> Version: 7.1.405 / Virus Database: 268.11.3/423 - Release Date: 8/18/2006> 
Try Live.com - your fast, personalized homepage with all the things you care about in one place.

More information about the list mailing list