[Hacked] Now what?

Ok, just had a personal VPS hacked, which in a way is a good thing. This VPS is strictly for me to learn linux and security, and hosts a few of my personal sites.

Now, this isn't the first time its happened, but last time I just deleted phpbb, cleaned up /tmp and chmod 1777 it.

But now, r0nin has appeared, I dont believe they have root, since I have su - set up and it emails me when root logs in.

So, in /tmp there is the r0nin file, a folder called sql(left over from last time, although inactive)it contains a .htm a .txt and a php mailer. Not too worried about these as I have practised securing this vps, and my mail queue is still empty.

So, the question is how do I find out who owns the files, where do I look to see how they did it, and by which domain? After I have found these things out I will be mounting /tmp noexec, nosuid etc


Thanks, Philip

 

 

 

 

Top