Re: Server hacked - next...?

To: "Russell Coker" <russell@coker.com.au>, <debian-isp@lists.debian.org>
Subject: Re: Server hacked - next...?
From: "Jason Lim" <maillist@jasonlim.com>
Date: Sun, 29 Jun 2003 21:47:13 +0800
Message-id: <[🔎] 004b01c33e44$f2c375a0$d600a8c0@antivirusgateway>
Reply-to: "Jason Lim" <maillist@jasonlim.com>
References: <[🔎] 04ca01c33dfb$6dce7b40$0800a8c0@SYSTEM8> <[🔎] 200306291549.00472.russell@coker.com.au> <[🔎] 05d401c33e0e$075ebf60$0800a8c0@SYSTEM8> <[🔎] 200306291802.00054.russell@coker.com.au>

Hi Russell,

Well, SE Linux certainly seems like something that needs to be installed.
Most annoying is that all the recent security updates were already done!

The user CGIs run as the user's UID... suexec.

Re-installing from scratch would be a real pain... the server runs on a
3ware array, and has hundreds of users, all active :-/

Is there any way to verify the Integrity of the files somehow, and
download/re-install any binaries that do not match the checksums or
something? Does dpkg or some other Debian tool have this ability?

If just a list of packages could be shown that do not match what is
actually on the disk, those could be re-downloaded and re-installed, so at
least the system can start working (right now, just typing "gcc" produces
garbage on the screen, no doubt because some libraries have been
replaced).

Is there any tool that could search the system for root suid scripts (so
the hacker can login again and gain root easily)?

Hope you can shed some light on the above, so at least the system can get
back up and running, then we can even setup a new server (with SE Linux
and various others) and migrate the accounts over.

Thanks in advance!!!

Sincerely,
Jason

----- Original Message ----- 
From: "Russell Coker" <russell@coker.com.au>
To: "Jason Lim" <maillist@jasonlim.com>; <debian-isp@lists.debian.org>
Sent: 29 June, 2003 4:02 PM
Subject: Re: Server hacked - next...?

> On Sun, 29 Jun 2003 17:12, Jason Lim wrote:
> > The box is a very recently updated "stable" box... virtually every
other
> > date apt-get is update/upgrade.
> >
> > The box is setup very secure... the usual things were done... like
> > ensuring no unused services are running and things like that.
> >
> > So does that mean "stable" is actually vulnerable to something we all
> > don't know about???
>
> That could be the case.
>
> Or it could be some issue of your configuration.  Maybe you have Apache
set to
> run customer cgi-bin scripts under the same UID and a customer uploaded
an
> insecure or hostile cgi-bin script.
>
> Have you considered using SE Linux?
>
> -- 
> http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux
packages
> http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
> http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
> http://www.coker.com.au/~russell/  My home page
>
>

Reply to:

Follow-Ups:
- Re: Server hacked - next...?
  - From: Achim Schmidt <schmidt@os.waaf.net>
- Re: Server hacked - next...?
  - From: Russell Coker <russell@coker.com.au>
- Re: Server hacked - next...?
  - From: bda <bda@mirrorshades.net>
- Re: Server hacked - next...?
  - From: "Leonardo Boselli" <leo@dicea.unifi.it>
- Re: Server hacked - next...?
  - From: Dan MacNeil <omacneil@brave.cs.uml.edu>

References:
- Server hacked - next...?
  - From: "Jason Lim" <maillist@jasonlim.com>
- Re: Server hacked - next...?
  - From: Russell Coker <russell@coker.com.au>
- Re: Server hacked - next...?
  - From: "Jason Lim" <maillist@jasonlim.com>
- Re: Server hacked - next...?
  - From: Russell Coker <russell@coker.com.au>

Prev by Date: Re: Server hacked - next...?
Next by Date: Re: SSL wrapping of Outlook ?
Previous by thread: Re: Server hacked - next...?
Next by thread: Re: Server hacked - next...?
Index(es):
- Date
- Thread