[tor-relays] My VPS relay has just been hacked

Geoff Down geoffdown at fastmail.net
Sun Oct 26 19:46:52 UTC 2014

Hello Nick,
I hop you don't mind a few pointers on this based on my experience of
hacked sites:
 When listing directories, use 'ls -alct' to show hidden files as well,
 and the ctime rather than the mtime - mtime is trivial to falsify.
When using 'ps', compare the process names with those given by running
(as root) 'lsof -p <processnum>' where <processnum> is the number of the
suspect process. The entries with 'txt' and 'cwd' in the fourth column
will let you see the files connected to the process, which can be useful
if a process is spoofing its name or the file that was run was deleted
by the process to try to cover its tracks. Entries with 'IPv4' in the
fifth column will show any network connections that processes have
opened up (visible on their own using 'lsof -i') in case the bot is
trying to call home.

http://www.fastmail.fm - Faster than the air-speed velocity of an
                          unladen european swallow

More information about the tor-relays mailing list