server hacked, need help

Hi guys, à

My server has been hacked, I did a netstats and my server is attempting to contacts ftps around the world every 30 seconds,

I changed my root account, I most likely got the gumblar virus, how can I stop this thing ?!

Is that a cron job?

2 Replies

@Karnius:

Hi guys, à

My server has been hacked, I did a netstats and my server is attempting to contacts ftps around the world every 30 seconds,

I changed my root account, I most likely got the gumblar virus, how can I stop this thing ?!

Is that a cron job?

1. Shut it down now.

2. Take an image of it for future forensic investigation.

3. Rebuild from scratch or from a known-good backup.

That's really all you can do when you get rooted, as you, in most circumstances, have no way of knowing what exactly the perpetrator did to your server.

It's worth mentioning that gumblar propagates by infecting Windows machines with malware that steal stored passwords for FTP programs, Dreamweaver and such. So make sure you've changed your passwords and disinfected any Windows machines where you stored them, before rebuilding the server.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct