[Dshield] team amber alert server compromised
areust at comcast.net
Sun Aug 20 04:29:26 GMT 2006
I have been out all day.... In order preserve evidence everything has to be
left as it is... If you move to Godaddy for a short term and get law
enforcement behind you and preserve the evidence then you have a chance...
The Network Plug should be pulled... So it is tough...
What I saw from earlier messages from EV1 it appears they are holding you
solely responsible... I would say do what you got to do to get your site
moved... and the sever shutdown to preserve evidence.
At 11:23 PM 8/19/2006 +0000, you wrote:
>I am just now logged into the server but have made no changes ... I am
>trying to preserve all that I can for evidence in the remote hope this
>perp can get jail time ... Server is not root compromised. There is an
>ebay fraud site running from /tmp a back door shell running from /var/tmp
>and a ssh scanner/udpflooder running from /dev/shm.
>If there is a good time to call I have unlimited long distance in the usa.
>I use plesk reloaded 7 and putty ssh to access ... Ev1 is pressing me to
>finish soon ... I am going into Plesk to stop some services not sure which
>one first and have a storm over head ...
> > From: marshm at anycast.net> To: list at lists.dshield.org> Date: Sat, 19 Aug
> 2006 18:51:33 -0400> Subject: Re: [Dshield] team amber alert server
> compromised> > Jim,> > First, there are *plenty* of good open source
> tools for keeping any Linux> server secure.> > Second, please contact me
> directly to outline a path to preserving your> existing HD for forensic
> evidence.> > Gene Marsh> > > -----Original Message-----> From:
> list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]>
> On Behalf Of Family Beistle> Sent: Saturday, August 19, 2006 3:04 PM> To:
> list at lists.dshield.org> Subject: [Dshield] team amber alert server
> compromised> > Team Amber Alert is a non profit public charity ... My
> linux server was> taken over ... I am in need of advice how to preserve
> the HD image to> download it for forensic review prior to reload ... Ev1
> was not very> informative as they did not want to give advice to incur
> liability ... I am> in hopes some one could donate time to help trak down
> these hacks and> scripters ... For now I am in damage control to
> determine level and swift> measure to follow to restore secure services
> once again for now I am> preparing to slave the HD and place new restore
> on the virgin HD /... What> to do with the poisoned HD and how to
> preserve the evidence to have if I can> bring them to justice ... for now
> I am dealing with the exposed server and> the lack of reasonable open
> source tools for Linux Servers to remain secure> ... thank for Dshield
> and all who comment ... The is a notice that any who> were attacked by
> our ip please advise and preserve copies of the material> etc please let
> me know ... at this point I have no clue the type of> compromise but
> that a tmp folder was opened and operating code ... had had> disabled
> that so I believe the whole server must be compromised passwords> and all
> ... I will be offline shortly to stop further attacks while I clean>
> up.> > Jim Beistle> 806 853 9400> TeamAmberAlert.Net> Msnx.Net> red hat
> linux server at EV1> _________________________________!
>________________________> Try Live.com: where your online world comes
>together - with news, sports,> weather, and much more.>
>_________________________________________> > SANS Network Security 2006 -
>Las Vegas NV October 1st-9th.> Wide selection of 1-6 Day Courses. Top
>Instructors! > > Details: isc.sans.org/clickcount.php?ad=1 (use
>Brochurcode "ISC")> > "Best IT Security return on Investment" (Mario
>_______________________________________________> > > --> No virus found in
>this incoming message.> Checked by AVG Free Edition.> Version: 7.1.405 /
>Virus Database: 268.11.3/423 - Release Date: 8/18/2006>
>Try Live.com - your fast, personalized homepage with all the things you
>care about in one place.
>SANS Network Security 2006 - Las Vegas NV October 1st-9th.
>Wide selection of 1-6 Day Courses. Top Instructors!
>(use Brochurcode "ISC")
>"Best IT Security return on Investment" (Mario Chiock, Schlumberger)
More information about the list