Pharmacy Alert Security Team
Feedback
|
|
Sun, 03 Sep 2006
|
Respond with your experiences and questions
If you received a Pharmacy Alert, you can respond
here with any questions and to share your
experiences in removing the trojan
Thank
you from the Pharmacy Alert Security Team
Posted 21:58
|
3 comments
|
Thank you guys
Thank you for bringing this to my attention.
I would like to note that the hacker did a
couple of extra things in my particular case.
They removed the reboot, shutdown, and passwd
commands so that the machine could not reboot
remotely or change the password. After
reinstalling the passwd program, I discovered
that I could not work with the shadow file
in /etc. Because of this, I could not change the
password on the system.
What I ultimately did is kill the uirqd
processes and then shutdown remote
administration until I was able to physically
work with the machine.
Ultimately the fix was backing up my database
and webserver and doing a full reload of the
linux based system.
Note that I did try to change the permissions,
to delete, to move, or do ANYTHING at all to
change the shadow file (all as the root account)
but to no avail.
|
Was your server in the US?
Just out of interest. If so, there are legal
representative who will most definitely want to
talk to you about this intrusion of your systems.
Post back here if possible.
SiL
|
When reports bounce...
Out of curiosity - what can/should be done when
reports bounce? I sent off a message to abuse at
ashlen regarding 79.135.166.58 - which has an
invalid address (ashlen.biz is not a valid domain)
- what can be done?
|
Post a Comment:
|
|
|
|
|
