My System May Have Been Compromised, What Should I Do?

Discussion in 'Server Operation' started by badgerbox76, Nov 19, 2009.

  1. badgerbox76

    badgerbox76 Member

    I setup a shared FTP account on my public server using ProFTPd. I locked the one user into the home directory (/home/username) and I connected using that test users credentials and it appeared to be locked. But I recently rechecked the account and I was able to explore the entire drive using an account that is used by many. I want to see what system files have been changed recently and what commands have been run. What should my course of action be?

    I am hosting 3 websites and running the ftp server on the same box. I have some sensitive information stored on this system and I'm very concerned.
     
  2. falko

    falko Super Moderator ISPConfig Developer

    First of all I'd run chkrootkit and/or rkhunter to find out if any malware has been installed.
     
  3. damir

    damir New Member

    Follow Falkos tips and have you chrooted ftp users to their home folders? What shell have you assigned to them?
     

Share This Page