[Tfug] Server Compromise

Predrag Punosevac punosevac72 at gmail.com
Thu Sep 27 16:16:58 MST 2007


What kind of server do you run? http, mail server, data base?
What kind of firewall do you have? What is the kernel security level (
I hope this exist in Linux world) How did they get into your server if
all but few ports are closed? The only way to block the BSDs is fake
demands from the server that would completely block your ports but
still there is no theoretical possibility that properly run BSD box
gets hijacked.

Note for the future use! I would not run mail server on the http or
database server period.
If you are running mail server the content must be scanned by clamov
or similar software.
That is the sole source of security risk.

Another thing? What is the partition of your Linux box. Outside users
should not have access to anything but the /var part of partition.

Why is server running Ubuntu? You might want to switch to OpenBSD if
the server content and services are so important.

Sounds to me that your troubles are home made.











On 9/27/07, Chris Hill <ubergeek at ubergeek.tv> wrote:
> Hi all,
>
> I've got a major headache today, looking to see if someone might be able
> to help. We've got a server, its been compromised with a phishing scam.
> It looks like its very possibly has been rooted. I cannot fully turn off
> the box but we are pulling all non-essential services off the public
> net. If anyone can help me figure out how bad things are that would be
> really cool.
>
> I am working on the assumption we are rooted, mainly because the user
> has copied files as root to the box into /tmp and /var/www. I removed
> the /var/www files and he put them back and made it so that i cannot
> delete them( even as root ) . I'm also assuming that my ls, lsattr,
> chmod, chown, chattr, etc. files are hacked, which is why i cannot
> delete the /var/www files.
>
> If you're able to look at the box and see if you can help me delete
> these files and figure out what's going on, that'd be great!
>
> Thanks
> C
>
> _______________________________________________
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
>




More information about the tfug mailing list