[tor-relays] My VPS relay has just been hacked
Nick Sheppard
nshep at attglobal.net
Sun Oct 26 20:14:16 UTC 2014
On 26/10/14 19:46, Geoff Down wrote:
> Hello Nick,
> I hop you don't mind a few pointers on this based on my experience of
> hacked sites:
> When listing directories, use 'ls -alct' to show hidden files as well,
> and the ctime rather than the mtime - mtime is trivial to falsify.
> When using 'ps', compare the process names with those given by running
> (as root) 'lsof -p <processnum>' where <processnum> is the number of the
> suspect process. The entries with 'txt' and 'cwd' in the fourth column
> will let you see the files connected to the process, which can be useful
> if a process is spoofing its name or the file that was run was deleted
> by the process to try to cover its tracks. Entries with 'IPv4' in the
> fifth column will show any network connections that processes have
> opened up (visible on their own using 'lsof -i') in case the bot is
> trying to call home.
> Regards,
> Geoff
>
I don't mind at all! The more pointers the better! I'm new to VPSing
and even newer to hack-hunting ... this is really useful.
Thanks again,
Nick
More information about the tor-relays
mailing list