[Dshield] team amber alert server compromised

Al Reust areust at comcast.net
Sun Aug 20 04:29:26 GMT 2006

I have been out all day.... In order preserve evidence everything has to be 
left as it is... If you move to Godaddy for a short term and get law 
enforcement behind you and preserve the evidence then you have a chance... 
The Network Plug should be pulled... So it is tough...

What I saw from earlier messages from EV1 it appears they are holding you 
solely responsible... I would say do what you got to do to get your site 
moved... and the sever shutdown to preserve evidence.


At 11:23 PM 8/19/2006 +0000, you wrote:
>I am just now logged into the server but have made no changes ... I am 
>trying to preserve all that I can for evidence in the remote hope this 
>perp can get jail time ... Server is not root compromised. There is an 
>ebay fraud site running from /tmp a back door shell running from /var/tmp 
>and a ssh scanner/udpflooder running from /dev/shm.
>If there is a good time to call I have unlimited long distance in the usa. 
>I use plesk reloaded 7 and putty ssh to access ... Ev1 is pressing me to 
>finish soon ... I am going into Plesk to stop some services not sure which 
>one first and have a storm over head ...
> > From: marshm at anycast.net> To: list at lists.dshield.org> Date: Sat, 19 Aug 
> 2006 18:51:33 -0400> Subject: Re: [Dshield] team amber alert server 
> compromised> > Jim,> > First, there are *plenty* of good open source 
> tools for keeping any Linux> server secure.> > Second, please contact me 
> directly to outline a path to preserving your> existing HD for forensic 
> evidence.> > Gene Marsh>  > > -----Original Message-----> From: 
> list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]> 
> On Behalf Of Family Beistle> Sent: Saturday, August 19, 2006 3:04 PM> To: 
> list at lists.dshield.org> Subject: [Dshield] team amber alert server 
> compromised> > Team Amber Alert is a non profit public charity ... My 
> linux server was> taken over ... I am in need of advice how to preserve 
> the HD image to> download it for forensic review prior to reload ... Ev1 
> was not very> informative as they did not want to give advice to incur 
> liability ... I am> in hopes some one could donate time to help trak down 
> these hacks and> scripters ... For now I am in damage control  to 
> determine level and swift> measure to follow to restore secure services 
> once again for now I am> preparing to slave the HD and place new restore 
> on the virgin HD /... What> to do with the poisoned HD and how to 
> preserve the evidence to have if I can> bring them to justice ... for now 
> I am dealing with the exposed server and> the lack of reasonable open 
> source tools for Linux Servers to remain secure> ... thank for Dshield 
> and all who comment ... The is a notice that any who> were attacked by 
> our ip please advise and preserve copies of the material> etc please let 
> me know  ... at this point I have no clue the type of> compromise but 
> that a tmp folder was opened and operating code ... had had> disabled 
> that so I believe the whole server must be compromised passwords> and all 
> ... I will be offline shortly to stop further attacks while I clean> 
> up.>  > Jim Beistle> 806 853 9400> TeamAmberAlert.Net> Msnx.Net> red hat 
> linux server at EV1> _________________________________!
>  ________
>________________________> Try Live.com: where your online world comes 
>together - with news, sports,> weather, and much more.> 
>_________________________________________> > SANS Network Security 2006 - 
>Las Vegas NV October 1st-9th.> Wide selection of 1-6 Day Courses. Top 
>Instructors!  > > Details: isc.sans.org/clickcount.php?ad=1 (use 
>Brochurcode "ISC")> > "Best IT Security return on Investment" (Mario 
>Chiock, Schlumberger)> 
>_______________________________________________> > > --> No virus found in 
>this incoming message.> Checked by AVG Free Edition.> Version: 7.1.405 / 
>Virus Database: 268.11.3/423 - Release Date: 8/18/2006>
>Try Live.com - your fast, personalized homepage with all the things you 
>care about in one place.
>SANS Network Security 2006 - Las Vegas NV October 1st-9th.
>Wide selection of 1-6 Day Courses. Top Instructors!
>Details: isc.sans.org/clickcount.php?ad=1
>(use Brochurcode "ISC")
>"Best IT Security return on Investment" (Mario Chiock, Schlumberger)

More information about the list mailing list