[Tfug] Server Compromise
Chris Hill
ubergeek at ubergeek.tv
Fri Sep 28 10:50:20 MST 2007
So first off:
I'm not looking for a quick solution, but just ideas that may help me
figure out the attack vector so that I may more thoroughly fix the
problem. Thanks to ALL, for their input, regardless of whether it was
trolling or genuinely helpful. I just want ideas, and its been helpful.
Also Ron, your ideas are very sound, but see below, I don't think it was
a web-based php/perl attack after all.
So today I logged in to another server, and found that the attackers
have gotten ahold of that server too (no priv escalation tho). So what
does that mean? Well, it means that it is *very* probable the attackers
are the same people who broke in before and hosed our mail server. The
attack vector there was a keylogger on a coworker's machine, so I don't
think this attack is at all *nix specific.
This also means that the access vector is most likely ssh-specific. So
we've shut off ssh from external networks and this should really fix the
issue. Its kind of shifting my attitude about security from 'hardening'
to 'internal access only'. Because regardless of how tough your server
is, you're just better off limiting access to your place of
work/home/etc through hosts.allow or other methods.
C
More information about the tfug
mailing list