Re: Server hacked - next...?
On Sun, Jun 29, 2003 at 03:15:05PM +0800, Jason Lim wrote:
> Okay... so supposing the whole system needs to be installed, we can make a
> backup of the home directory now... but after we restore everything, what
> is to stop the hacker immediately re-gaining access again?
> The server is a fully updated "stable" debian system. In fact, it was
> updated just yesterday.
> I'm thinking that even if we do all the trouble of a complete
> re-installation of the entire system, it won't fix this as it will get
> re-hacked again, especailly since we can't see what is going on anymore.
> What do you think? :-(
> This really, really sucks.
As Russell Coker points out, the attaccer probably got in trough
apache and a vulnerable CGI script.
When you reinstall, be sure you dont run any insecure CGI's.
There is probably a bunch of other improvements jou can do.
Mount /tmp with noexec
Run a hardened kernel like NSA or Grsecurity.