Port 80?
Robert Brockway
robert-5LEc/6Zm6xCUd8a0hrldnti2O/JbrIOy at public.gmane.org
Mon Jun 29 07:53:47 UTC 2009
On Tue, 23 Jun 2009, cameron lord wrote:
>
> I already did, it still says apache, i hoked up my winxp laptop (sucks)
> to my swiches listen port, i have an intrusion problem o.O i found that
Very sorry to hear that.
> cable modem is all going to 125.16.27.50,and then is being served to
> xxx.xxx.xxx.xxx, whichisnt very helpfull at all. so far theyve
> downloaded 2.5 TB of my data and i cant stop them, i need to have my
> server online at all times!
Ok CERT recommended procedure is to take the box down as soon as you
identify the intrusion. Yes, life isn't always that simple but bare in
mind that the baddies are doing stuff from your box the entire time that
we discuss what to do. They could be breaking in to other systems or they
might just be sharing warez.
Once a system has been compromised _you can never trust it again_. It is
a practical impossibility to be sure you have removed all the backdoors
the baddies may have put in. The only way to be sure they are gone is to
restore from verified good backups[1] or reinstall. If you reinstall then
mount any filesystems from the compromised system as "noexec" to be sure
that no binary on that filesystem can be executed.
You're saying you can't take the server down even true high availability
(HA) allows provision for system downtime. True 100% availability isn't
possible. 99.999% is very very expensive.
Moving forward, when you rebuild I recommend going with virtualisation.
Replacing a virtual system is so much easier than reinstalling/restoring a
physical system. If you pick the right virtualisation option the
performance loss will be negligible. I use OpenVZ
(http://wiki.openvz.org/Main_Page) entensively but there are many options
here,.
[1] You need to search the backup data using the same method you used to
locate the compromise on the running system. If you find an intrusion you
move to the next oldest backup until eventually you find a clean copy or
run out of copies to try.
Cheers,
Rob
--
I tried to change the world but they had a no-return policy
Projected IPv4 exhaustion: http://www.potaroo.net/tools/ipv4/index.html
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list