Re: Server hacked - next...?

To: debian-isp@lists.debian.org
Subject: Re: Server hacked - next...?
From: Frode Haugsgjerd <froh@froh.dyndns.org>
Date: Sun, 29 Jun 2003 12:48:05 +0200
Message-id: <[🔎] 20030629104805.GE14343@sjefen.linux.cxm>
In-reply-to: <[🔎] 05d501c33e0e$2ac03650$0800a8c0@SYSTEM8>
References: <Pine.LNX.4.43.0306290156100.10730-100000@blackhole.quasar.net> <[🔎] 05d501c33e0e$2ac03650$0800a8c0@SYSTEM8>

On Sun, Jun 29, 2003 at 03:15:05PM +0800, Jason Lim wrote:
> Okay... so supposing the whole system needs to be installed, we can make a
> backup of the home directory now... but after we restore everything, what
> is to stop the hacker immediately re-gaining access again?
> 
> The server is a fully updated "stable" debian system. In fact, it was
> updated just yesterday.
> 
> I'm thinking that even if we do all the trouble of a complete
> re-installation of the entire system, it won't fix this as it will get
> re-hacked again, especailly since we can't see what is going on anymore.
> 
> What do you think? :-(
> 
> This really, really sucks.
> 

As Russell Coker points out, the attaccer probably  got in trough
apache and a vulnerable CGI script.
When you reinstall, be sure you dont run any insecure CGI's.
There is probably a bunch of other improvements jou can do.

Mount /tmp with noexec
Run a hardened kernel like NSA or Grsecurity.
etc.

--
Frode Haugsgjerd
Norway

Reply to:

Follow-Ups:
- Re: Server hacked - next...?
  - From: "Jason Lim" <maillist@jasonlim.com>

References:
- Re: Server hacked - next...?
  - From: "Jason Lim" <maillist@jasonlim.com>

Prev by Date: Re: Server hacked - next...?
Next by Date: Re: Server hacked - next...?
Previous by thread: Re: Server hacked - next...?
Next by thread: Re: Server hacked - next...?
Index(es):
- Date
- Thread