[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Server hacked - next...?

Hi Russell,

Well, SE Linux certainly seems like something that needs to be installed.
Most annoying is that all the recent security updates were already done!

The user CGIs run as the user's UID... suexec.

Re-installing from scratch would be a real pain... the server runs on a
3ware array, and has hundreds of users, all active :-/

Is there any way to verify the Integrity of the files somehow, and
download/re-install any binaries that do not match the checksums or
something? Does dpkg or some other Debian tool have this ability?

If just a list of packages could be shown that do not match what is
actually on the disk, those could be re-downloaded and re-installed, so at
least the system can start working (right now, just typing "gcc" produces
garbage on the screen, no doubt because some libraries have been

Is there any tool that could search the system for root suid scripts (so
the hacker can login again and gain root easily)?

Hope you can shed some light on the above, so at least the system can get
back up and running, then we can even setup a new server (with SE Linux
and various others) and migrate the accounts over.

Thanks in advance!!!


----- Original Message ----- 
From: "Russell Coker" <russell@coker.com.au>
To: "Jason Lim" <maillist@jasonlim.com>; <debian-isp@lists.debian.org>
Sent: 29 June, 2003 4:02 PM
Subject: Re: Server hacked - next...?

> On Sun, 29 Jun 2003 17:12, Jason Lim wrote:
> > The box is a very recently updated "stable" box... virtually every
> > date apt-get is update/upgrade.
> >
> > The box is setup very secure... the usual things were done... like
> > ensuring no unused services are running and things like that.
> >
> > So does that mean "stable" is actually vulnerable to something we all
> > don't know about???
> That could be the case.
> Or it could be some issue of your configuration.  Maybe you have Apache
set to
> run customer cgi-bin scripts under the same UID and a customer uploaded
> insecure or hostile cgi-bin script.
> Have you considered using SE Linux?
> -- 
> http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux
> http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
> http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
> http://www.coker.com.au/~russell/  My home page

Reply to: