Re: Server hacked - next...?

To: Jason Lim <maillist@jasonlim.com>
Cc: debian-isp@lists.debian.org
Subject: Re: Server hacked - next...?
From: Achim Schmidt <schmidt@os.waaf.net>
Date: 29 Jun 2003 15:55:43 +0200
Message-id: <[🔎] 1056894943.2699.17.camel@nimbus.os.waaf.net>
In-reply-to: <[🔎] 004b01c33e44$f2c375a0$d600a8c0@antivirusgateway>
References: <[🔎] 04ca01c33dfb$6dce7b40$0800a8c0@SYSTEM8> <[🔎] 200306291549.00472.russell@coker.com.au> <[🔎] 05d401c33e0e$075ebf60$0800a8c0@SYSTEM8> <[🔎] 200306291802.00054.russell@coker.com.au> <[🔎] 004b01c33e44$f2c375a0$d600a8c0@antivirusgateway>

Hi Jason,

a good programm to check for rootkits can be found here:

http://www.chkrootkit.org/

- Achim

Am Son, 2003-06-29 um 15.47 schrieb Jason Lim:
> Hi Russell,
> 
> Well, SE Linux certainly seems like something that needs to be installed.
> Most annoying is that all the recent security updates were already done!
> 
> The user CGIs run as the user's UID... suexec.
> 
> 
> Re-installing from scratch would be a real pain... the server runs on a
> 3ware array, and has hundreds of users, all active :-/
> 
> Is there any way to verify the Integrity of the files somehow, and
> download/re-install any binaries that do not match the checksums or
> something? Does dpkg or some other Debian tool have this ability?
> 
> If just a list of packages could be shown that do not match what is
> actually on the disk, those could be re-downloaded and re-installed, so at
> least the system can start working (right now, just typing "gcc" produces
> garbage on the screen, no doubt because some libraries have been
> replaced).
> 
> Is there any tool that could search the system for root suid scripts (so
> the hacker can login again and gain root easily)?
> 
> 
> Hope you can shed some light on the above, so at least the system can get
> back up and running, then we can even setup a new server (with SE Linux
> and various others) and migrate the accounts over.
> 
> Thanks in advance!!!
> 
> Sincerely,
> Jason
> 
> ----- Original Message ----- 
> From: "Russell Coker" <russell@coker.com.au>
> To: "Jason Lim" <maillist@jasonlim.com>; <debian-isp@lists.debian.org>
> Sent: 29 June, 2003 4:02 PM
> Subject: Re: Server hacked - next...?
> 
> 
> > On Sun, 29 Jun 2003 17:12, Jason Lim wrote:
> > > The box is a very recently updated "stable" box... virtually every
> other
> > > date apt-get is update/upgrade.
> > >
> > > The box is setup very secure... the usual things were done... like
> > > ensuring no unused services are running and things like that.
> > >
> > > So does that mean "stable" is actually vulnerable to something we all
> > > don't know about???
> >
> > That could be the case.
> >
> > Or it could be some issue of your configuration.  Maybe you have Apache
> set to
> > run customer cgi-bin scripts under the same UID and a customer uploaded
> an
> > insecure or hostile cgi-bin script.
> >
> > Have you considered using SE Linux?
> >
> > -- 
> > http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux
> packages
> > http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
> > http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
> > http://www.coker.com.au/~russell/  My home page
> >
> >
>

Reply to:

References:
- Server hacked - next...?
  - From: "Jason Lim" <maillist@jasonlim.com>
- Re: Server hacked - next...?
  - From: Russell Coker <russell@coker.com.au>
- Re: Server hacked - next...?
  - From: "Jason Lim" <maillist@jasonlim.com>
- Re: Server hacked - next...?
  - From: Russell Coker <russell@coker.com.au>
- Re: Server hacked - next...?
  - From: "Jason Lim" <maillist@jasonlim.com>

Prev by Date: Re: Server hacked - next...?
Next by Date: Re: Server hacked - next...?
Previous by thread: Re: Server hacked - next...?
Next by thread: Re: Server hacked - next...?
Index(es):
- Date
- Thread