[Tfug] Server Compromise

[John Kiniston]

I recommend you download something like chkrootkit and run it on all  
your servers, known compromised and not.

I would not leave compromised machines on the network as you never  
know what they may be doing. You could have machines doing reverse ssh  
tunnels out to other hosts or IRC bots listening for commands.

Disks are cheap, buy new ones, install a fresh OS and copy data over  
with the machines booted off known clean OS's.

On Sep 28, 2007, at 10:50 AM, Chris Hill <ubergeek at ubergeek.tv> wrote:

> So first off:
>
> I'm not looking for a quick solution, but just ideas that may help me
> figure out the attack vector so that I may more thoroughly fix the
> problem. Thanks to ALL, for their input, regardless of whether it was
> trolling or genuinely helpful. I just want ideas, and its been  
> helpful.
> Also Ron, your ideas are very sound, but see below, I don't think it  
> was
> a web-based php/perl attack after all.
>
> So today I logged in to another server, and found that the attackers
> have gotten ahold of that server too (no priv escalation tho). So what
> does that mean? Well, it means that it is *very* probable the  
> attackers
> are the same people who broke in before and hosed our mail server. The
> attack vector there was a keylogger on a coworker's machine, so I  
> don't
> think this attack is at all *nix specific.
>
> This also means that the access vector is most likely ssh-specific. So
> we've shut off ssh from external networks and this should really fix  
> the
> issue. Its kind of shifting my attitude about security from  
> 'hardening'
> to 'internal access only'. Because regardless of how tough your server
> is, you're just better off limiting access to your place of
> work/home/etc through hosts.allow or other methods.
>
>
> C
>
> _______________________________________________
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
> http://www.tfug.org/mailman/listinfo/tfug_tfug.org