This blog post details a guy’s ad hoc investigation of a Linux server that was compromised and turned into a zombie. Basically, the “hacker” came in, installed a root kit, an SSH back door, and an IRC bot for command and control. The post gives all the steps that the “investigator” goes through, and provides a lot of detail and screen captures.
I find it somewhat entertaining, since it’s almost exactly what I went through investigating a very similar situation several (probably nine) years ago, on my friend’s server. I actually ended up talking to the attacker in his IRC channel, and he was nice enough to tell me how he broke in. Those were the good old days…
Related posts:
