[tor-relays] My VPS relay has just been hacked

Nick Sheppard nshep at attglobal.net
Sun Oct 26 20:14:16 UTC 2014

On 26/10/14 19:46, Geoff Down wrote:
> Hello Nick,
> I hop you don't mind a few pointers on this based on my experience of
> hacked sites:
>   When listing directories, use 'ls -alct' to show hidden files as well,
>   and the ctime rather than the mtime - mtime is trivial to falsify.
> When using 'ps', compare the process names with those given by running
> (as root) 'lsof -p <processnum>' where <processnum> is the number of the
> suspect process. The entries with 'txt' and 'cwd' in the fourth column
> will let you see the files connected to the process, which can be useful
> if a process is spoofing its name or the file that was run was deleted
> by the process to try to cover its tracks. Entries with 'IPv4' in the
> fifth column will show any network connections that processes have
> opened up (visible on their own using 'lsof -i') in case the bot is
> trying to call home.
>   Regards,
> Geoff
I don't mind at all!  The more pointers the better!  I'm new to VPSing 
and even newer to hack-hunting ... this is really useful.

Thanks again,

More information about the tor-relays mailing list