my server was cracked; now what?
Fraser Campbell
fraser-eicrhRFjby5dCsDujFhwbypxlwaOVQ5f at public.gmane.org
Tue Jul 18 14:56:29 UTC 2006
Aaron Vegh wrote:
> My first step was to eliminate two user accounts created by the
> attacker, and I've been watching the server all day for any further
> activity; there's been none. I did see the installation of an IRC bot
How are you monitoring? Are you sure there are not hidden processes which
you do not see - have you verified that ps, top, netstat, etc are not
modified? You can find out a lot of these things from the running system
but it takes knowledge and these days the rootkits might be good enough to
even modify /proc entries ... the only sure way is to take the system
offline and verify every binary, then verify every single modified file
(config file, init scripts, etc.), then apply ever single security update
that is applicable to your system - if you haven't figured out how they got
in then every single network accessible application should be suspect.
> My server is a dedicated machine with only shell access, so taking it
> offline isn't an option. I've written to the hoster's tech support,
> and they came back with:
Is it business critical that people get shell access from the Internet?
Are you at least using ssh with key based authentication and blocking
password authentication?
--
Fraser Campbell <fraser-Txk5XLRqZ6CsTnJN9+BGXg at public.gmane.org> http://www.wehave.net/
Georgetown, Ontario, Canada Debian GNU/Linux
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list