Re: possibly hacked

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



For the 1 1/2 cents worth, this is how I, a non sys admin person,
manage linux security.
My server has been hacked a while back while using Slackware 8 (or so)
when there was a SSL/SSH bug which I never got around to fix.

I guess using Fedora gives me a better peace of mind as libraries are
updated on a daily basis. Out of the box, Slackware does not have this
auto update feature. Probably because any slackware peeps prefers to
build and package from src.

A basic rule that I've followed is not to run any services that I am
not using. For any services that are needed, I make sure that I know
how to configure them at least to intermediate level. Spend a few
hours to set it up properly, create a documentation in human
understandable language, it'll go a long way.

One way or another, actively configure and know your firewall
settings. Some time ago, I swore I've learned everything about
iptables, but since I've my hardware firewall with a dumbed down
interface, it's what I've been using since.

On 3/23/07, Manuel Arostegui Ramirez <manuel@xxxxxxxxxxxxxx> wrote:
On Friday 23 March 2007 13:40:45 Schnulli wrote:
> Well, we got also infected with this "bastard"
> ok, we´running Mandrake 10.2 (the good old one) but same probbs.
>
> How i found it?
> i was looking what is running on this MDK... uuuuuuhhhhh whats that
> => APACHE -DSSL ??? hmmm with high CPU Load.... i was wondering.
> Also o had lately lags in our bandwidth.... alot spam Mails and a few
> other strange things.
> Ok.. time to do smth......
> In our case this is bastard tells you i am "APACHE -DSSL" WRONG!!!!
> this is a Perl Deamon connecting to the Irc Network and spreading all
> infos of ur sys, AND!!!! gives them full access to ur Server.......
> What to do???? Where the heck does it load from?
> Well.... it is a Exploit used by hackers to hijack Boards, no matter
> if phpBB, Joomla or other.. its Code injection and execution !! once
> u got infected u r having a probb we DONT know at time a solution to
> kick this lil baby off, not yet.....
> What we did?
> well... this exploid needds to load external code to execute.... we
> found where and how it starts up, in our case it is the file
> "borek.txt" (search for it by google etc. and you will find similar
> probbs;) )
> OK... we saw where this bastard tryed to load it´s code... so we
> blocked this IP. This will give us now the time and chance to search
> how it works and maybe find a solution to fix it and close this
> backdoor/bug
> When u deny/drop/reject access to the IP where the code is placed,
> the deamon cant start up.. simple? yes, but no solution.....
>
> We´ll finger out how and what it is and by chance bring u all (and
> us) a solution ti fix it
>
> cheers from Germany,
> Schnulli
>
> By the way, when still someone has a solution feel free to post it
> here or leave me a note
>

Sorry about reading you have been hacked.
Well, it depends on the scenario, of course, but in mine, I have the public
server with a restricted network policy, I mean, the only output connection
allowed is the one made to the apt-get servers. Any other connection will be
refused.
So, in case we were hacked and that -DSSL running, it wouldn´t send any piece
of information, at least.

We´re also using Babel Enterprise ( http://babel.sf.net ) in order to keep our
processes and services under control, so if there´s any other process running
aside from the ones we already know and allow,it will be reported.

Hope this helps.
All the best.
--
Manuel Arostegui Ramirez.

Electronic Mail is not secure, may not be read every day, and should not
be used for urgent or sensitive issues.

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list



--
Chu Jeang Tan
chujtan@xxxxxxxxx


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux