[Tfug] Server Compromise

[Jeffry Johnston]

A statically compiled busybox (use a different machine to compile :) can
give you your common utility programs (rm, cp, various shells, account
tools, etc).  Run it off a CD-R or write protected floppy to prevent
tampering.  I have to agree, though.. if you suspect the box is rooted, you
need to start over.  Perhaps bring up another machine along side.. then when
it is ready, switch services to using the new machine in your router setup.


Jeff

On 9/28/07, Chris Hill <ubergeek at ubergeek.tv> wrote:
>
> So first off:
>
> I'm not looking for a quick solution, but just ideas that may help me
> figure out the attack vector so that I may more thoroughly fix the
> problem. Thanks to ALL, for their input, regardless of whether it was
> trolling or genuinely helpful. I just want ideas, and its been helpful.
> Also Ron, your ideas are very sound, but see below, I don't think it was
> a web-based php/perl attack after all.
>
> So today I logged in to another server, and found that the attackers
> have gotten ahold of that server too (no priv escalation tho). So what
> does that mean? Well, it means that it is *very* probable the attackers
> are the same people who broke in before and hosed our mail server. The
> attack vector there was a keylogger on a coworker's machine, so I don't
> think this attack is at all *nix specific.
>
> This also means that the access vector is most likely ssh-specific. So
> we've shut off ssh from external networks and this should really fix the
> issue. Its kind of shifting my attitude about security from 'hardening'
> to 'internal access only'. Because regardless of how tough your server
> is, you're just better off limiting access to your place of
> work/home/etc through hosts.allow or other methods.
>
>
> C
>
> _______________________________________________
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
>