Complete.Org: Mailing Lists: Archives: discussion: October 2005:
[aclug-L] Re: Problems

[aclug-L] Re: Problems

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]

To:	<discussion@xxxxxxxxx>
Subject:	[aclug-L] Re: Problems
From:	"Dale W Hodge" <dwh@xxxxxxxxxxxxxxxx>
Date:	Sat, 22 Oct 2005 14:05:09 -0500
Reply-to:	discussion@xxxxxxxxx


> -----Original Message-----
> From: discussion-bounce@xxxxxxxxx=20
> [mailto:discussion-bounce@xxxxxxxxx] On Behalf Of Steven Saner
> Well, you can try to upgrade all of the web related software to the
> newest stable versions, but you really want to try to figure what
> exactly was compromised. In my experience, this was most likely a
> vulnerability in some dynamic content software, such as a cgi or php
> script of some kind.

I still haven't figured out just what was compromised. For the short =
term,
the web server has been shut down.  I'm thinking about going back to =
static
content on most of my sites since the dynamic part has seldom be =
utilized.
=20
> Have you been through the web server logs? Sometimes if you can find
> accesses just before or right at the time the exploit began, you can
> get an idea of what script or whatever was used in an undesireable
> way. Look at the error logs too, as whatever was done could have
> generated an error. Of course, if the server logs got modifed in the
> process, this may not help, but if they really didn't get root access,
> you might be lucky.

The logs all appear to be intact, but they haven't been of much help =
yet.

> You should also try to look through the files that make up your web
> site(s) and see if there are any files that should not be there. This
> kind of thing is commonly done by getting a script to write some
> arbitrary data (like code) to a file, and then getting that or another
> script to somehow execute that code.

I haven't found anything in the web area, but upon further inspection I
found I had a root kit installed.  It took me several hours to eradicate =
it,
but I think everything is back to normal. Whoever did this was sloppy, =
and
left some obvious clues like wrong ownership of system files, and the
immutable bit set. A little snooping using lsattr found most of the =
changed
files and the source directory where they had installed from. I mounted =
the
HD on a known clean machine and restored from there. I then used several
root kit detectors to verify that everything was clean. While a fresh
install would be preferable, it's not practical at this time. Instead, =
I've
changed all the passwords and will do a nightly scan for possible =
exploits.

--Dale


-- This is the discussion@xxxxxxxxx list.  To unsubscribe,
visit http://www.complete.org/cgi-bin/listargate-aclug.cgi

[Prev in Thread]

Current Thread

[Next in Thread]

[aclug-L] Problems, Dale W Hodge, 2005/10/21
- [aclug-L] Re: Problems, Steven Saner, 2005/10/21
  - [aclug-L] Re: Problems, Dale W Hodge <=
- [aclug-L] Re: Problems, Jeff Vian, 2005/10/22
  - [aclug-L] Re: Problems, Dale W Hodge, 2005/10/22

Prev by Date: [aclug-L] Re: Problems
Next by Date: [aclug-L] Re: Problems
Previous by thread: [aclug-L] Re: Problems
Next by thread: [aclug-L] Re: Problems
Index(es):
- Date
- Thread