[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] RAQ4R Hacked, Restoring / backing up

Subject: [cobalt-users] RAQ4R Hacked, Restoring / backing up
From: Maximux Filter <maximux420@xxxxxxxxx>
Date: Fri Aug 8 20:48:00 2003
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

Hello Group,

I have spent the better part of the day searching the
archives and have found some things that have helped
me along the way, but I have many questions and
request any help you all may be able to offer.

My Raq4r server was hacked today.

I found several directories in /home/tmp and various
hidden directories as well as rouge processes showing
up in `ps ax`.  I am not sure of the rootkit, however,
I am sure that the attacker came in through httpd as
all of the files I found were owned by httpd.

The server in question is a production server with
about 150 websites hosted on it.  It is very important
that I am able to restore these websites
configurations and data.

The first thing I did, at the advice of the list, was
to install the CMU tools and then raqbackup.sh.  I ran
raqbackup.sh and backed up all the sites.  I scp?d all
the data to a safe machine.  

I also ran the Backup Utility from the admin GUI.  I
backed up ?All server configuration files? (according
to the cobalt gui), however I am not confident in the
cobalt gui backup utility from what I have read in the
archives. 

Should I also backup all of the important
configuration files (/etc, /usr/local/etc, etc;)
manually?  

I think I am ready to begin the OS RESTORE process,
however, I want to ask you all if I have everything I
am going to need to restore this production machine? 
Should I make backups of things like the postgress
database?  If so, how do I do this?

Perhaps I have just not found it, but is there a ?step
by step? or HOWTO that exists for completely
recovering a raq4r?  

The bits and pieces of info gleamed from here and
Google have led me to this point.  I just don?t want
to begin to format the raq4r if I have not backed up
everything I am going to need ? or if I don?t have all
the tools in place to do the job.

What I am really looking for is your advice on how to
best recover my hacked box?   

If anyone is interested in the rootkit used to rewt my
box, let me know off list and I will forward the
directory to you.  Basically it is a directory full of
different exploits.

I appreciate any help you can offer.

Thanks in advance.
Rick


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

Follow-Ups:
- Re: [cobalt-users] RAQ4R Hacked, Restoring / backing up
  - From: E.B. Dreger

Prev by Date: [cobalt-users] Related to cobalt raq4r RAID formatting
Next by Date: [cobalt-users] help me or shot me! :-(
Previous by thread: [cobalt-users] Related to cobalt raq4r RAID formatting
Next by thread: Re: [cobalt-users] RAQ4R Hacked, Restoring / backing up

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index