hi everyone,
i've got a little problem here...
by the last weekend, a linux server (SuSE 8.0 with selfcompiled apache/php/mysql, exim, bind)under my administration has been hacked (firewall has been disabled for some ip change reason, sadly...). after inspecting the system for changes i found out the intruder installed some irc software (namely mirkforce) and a rootkit ("init" executable changed) on my machine. logs showed, the intruder used an samba exploit to get into it.
luckily, i log the traffic passing my router, so i found out the main system penetration was initiated by a machine located in taiwan. but(!), by using some undeletion tools to recover the files the hacker used, i found out the guy has to be somewhere here in germany. he used a german irc server to connect to and german folder names for his tools. by portscanning the taiwanesian machine i found out, that the server there has to be a windows machine, offering web and email services. by open port 5000 (UPnP) i concluded, the hacker might have hijacked the computer by using the well known exploit and used it as an proxy server for his attack.
to track this a**hole, i decided not to close down my machine and reinstall, but to try getting more information to catch him. for this reason, i installed a kernel module to log all bash commands being input. further, i use tcpdump to log all connections.
so, finally, my question: has anyone suggestions for other tools being helpful to hunt this bastard down? something like a trap maybe?
thanks for reading so far,
greetings from germany!
127.0.0.1
--
^v^
127.0.0.1 - localhost
i've got a little problem here...
by the last weekend, a linux server (SuSE 8.0 with selfcompiled apache/php/mysql, exim, bind)under my administration has been hacked (firewall has been disabled for some ip change reason, sadly...). after inspecting the system for changes i found out the intruder installed some irc software (namely mirkforce) and a rootkit ("init" executable changed) on my machine. logs showed, the intruder used an samba exploit to get into it.
luckily, i log the traffic passing my router, so i found out the main system penetration was initiated by a machine located in taiwan. but(!), by using some undeletion tools to recover the files the hacker used, i found out the guy has to be somewhere here in germany. he used a german irc server to connect to and german folder names for his tools. by portscanning the taiwanesian machine i found out, that the server there has to be a windows machine, offering web and email services. by open port 5000 (UPnP) i concluded, the hacker might have hijacked the computer by using the well known exploit and used it as an proxy server for his attack.
to track this a**hole, i decided not to close down my machine and reinstall, but to try getting more information to catch him. for this reason, i installed a kernel module to log all bash commands being input. further, i use tcpdump to log all connections.
so, finally, my question: has anyone suggestions for other tools being helpful to hunt this bastard down? something like a trap maybe?
thanks for reading so far,
greetings from germany!
127.0.0.1
--
^v^
127.0.0.1 - localhost