possibly hacked

Chu Jeang Tan chujtan at gmail.com
Fri Mar 23 15:21:35 UTC 2007 

For the 1 1/2 cents worth, this is how I, a non sys admin person,
manage linux security.
My server has been hacked a while back while using Slackware 8 (or so)
when there was a SSL/SSH bug which I never got around to fix.

I guess using Fedora gives me a better peace of mind as libraries are
updated on a daily basis. Out of the box, Slackware does not have this
auto update feature. Probably because any slackware peeps prefers to
build and package from src.

A basic rule that I've followed is not to run any services that I am
not using. For any services that are needed, I make sure that I know
how to configure them at least to intermediate level. Spend a few
hours to set it up properly, create a documentation in human
understandable language, it'll go a long way.

One way or another, actively configure and know your firewall
settings. Some time ago, I swore I've learned everything about
iptables, but since I've my hardware firewall with a dumbed down
interface, it's what I've been using since.

On 3/23/07, Manuel Arostegui Ramirez <manuel at todo-linux.com> wrote:
> On Friday 23 March 2007 13:40:45 Schnulli wrote:
> > Well, we got also infected with this "bastard"
> > ok, we´running Mandrake 10.2 (the good old one) but same probbs.
> >
> > How i found it?
> > i was looking what is running on this MDK... uuuuuuhhhhh whats that
> > => APACHE -DSSL ??? hmmm with high CPU Load.... i was wondering.
> > Also o had lately lags in our bandwidth.... alot spam Mails and a few
> > other strange things.
> > Ok.. time to do smth......
> > In our case this is bastard tells you i am "APACHE -DSSL" WRONG!!!!
> > this is a Perl Deamon connecting to the Irc Network and spreading all
> > infos of ur sys, AND!!!! gives them full access to ur Server.......
> > What to do???? Where the heck does it load from?
> > Well.... it is a Exploit used by hackers to hijack Boards, no matter
> > if phpBB, Joomla or other.. its Code injection and execution !! once
> > u got infected u r having a probb we DONT know at time a solution to
> > kick this lil baby off, not yet.....
> > What we did?
> > well... this exploid needds to load external code to execute.... we
> > found where and how it starts up, in our case it is the file
> > "borek.txt" (search for it by google etc. and you will find similar
> > probbs;) )
> > OK... we saw where this bastard tryed to load it´s code... so we
> > blocked this IP. This will give us now the time and chance to search
> > how it works and maybe find a solution to fix it and close this
> > backdoor/bug
> > When u deny/drop/reject access to the IP where the code is placed,
> > the deamon cant start up.. simple? yes, but no solution.....
> >
> > We´ll finger out how and what it is and by chance bring u all (and
> > us) a solution ti fix it
> >
> > cheers from Germany,
> > Schnulli
> >
> > By the way, when still someone has a solution feel free to post it
> > here or leave me a note
> >
>
> Sorry about reading you have been hacked.
> Well, it depends on the scenario, of course, but in mine, I have the public
> server with a restricted network policy, I mean, the only output connection
> allowed is the one made to the apt-get servers. Any other connection will be
> refused.
> So, in case we were hacked and that -DSSL running, it wouldn´t send any piece
> of information, at least.
>
> We´re also using Babel Enterprise ( http://babel.sf.net ) in order to keep our
> processes and services under control, so if there´s any other process running
> aside from the ones we already know and allow,it will be reported.
>
> Hope this helps.
> All the best.
> --
> Manuel Arostegui Ramirez.
>
> Electronic Mail is not secure, may not be read every day, and should not
> be used for urgent or sensitive issues.
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>


-- 
Chu Jeang Tan
chujtan at gmail.com

More information about the fedora-list mailing list