2

Possible Duplicate:
My server's been hacked EMERGENCY

About a week ago, a bot broke into one of our linux-servers and sent 70k spam-mails from it. I had a look into the logs and found out at what time the bot connected, what emails where sent to whom and what IP-Adress the bot used. However, I have no idea how he actually sent the mails. The bash-history seems empty and it seems like there where no files modified (I checked with "find"). We like to make sure that there are no hidden programs somewhere that start sending spam or worse as soon as we put the server online again.

So, I'm asking: Any ideas on how the bot send that e-mails? Could it be that he just executed one big command in bash? Should we completely reinstall the OS on the server, or is it safe to keep it running with the "hacked" system?

Thanks in advance

Community
  • 1
Stuffy
  • 177

2 Answers2

3

First of all - you need to assume the entire machine is compromised. Do not connect it back up - rebuild the entire thing from scratch. A very likely reason you can't see anything useful in bash history is that a rootkit of some kind has been used.

And the problem with rootkits is that any tools you use to find them can be subverted.

They may have used a separate bash instance, or your bash history and log files may have been compromised - difficult to tell at this stage.

Have a look at the Security Stack Exchange questions on rootkits for more info.

Community
  • 1
Rory Alsop
  • 1,204
0

Maybe your smtp daemon is just configured wrong, allowing to relay emails to all domains.

casper
  • 509