Re: Am I Compromised -- Some interesting findings

To: debian-isp@lists.debian.org
Subject: Re: Am I Compromised -- Some interesting findings
From: Ward Vandewege <ward@pong.be>
Date: Fri, 25 Nov 2005 12:41:17 -0500
Message-id: <[🔎] 20051125174117.GB17281@io.pong.be>
In-reply-to: <[🔎] 43874255.2060802@midnighthax.com>
References: <[🔎] dm7eu1$rj6$1@sea.gmane.org> <[🔎] 43874255.2060802@midnighthax.com>

On Fri, Nov 25, 2005 at 04:56:53PM +0000, Keith Edmunds wrote:
> Ritesh Raj Sarraf wrote:
> >Please suggest me what more should I look for and how to tackle this 
> >attack.
> 
> The sensible way forward is to rebuild the machine, although you may 
> want to preserve some of it for analysis. I wouldn't trust the machine 
> again.

And when you rebuild, make sure to make /tmp a separate partition, and mount
it noexec,nosuid,nodev.

You could do the same with /var/lib/tmp or /var/tmp.

That will make it much harder for an attacker to execute whatever they upload
to your box.

Bye for now,
Ward.

-- 
Pong.be         -( "In my opinion M$ is a lot better at making money than  )-
Virtual hosting -(    it is at making good operating systems." -- Linus    )-
http://pong.be  -(                        Torvalds                         )-
GnuPG public key: http://gpg.dtype.org

Reply to:

References:
- Am I Compromised -- Some interesting findings
  - From: Ritesh Raj Sarraf <rrs@researchut.com>
- Re: Am I Compromised -- Some interesting findings
  - From: Keith Edmunds <keith@midnighthax.com>

Prev by Date: RE: Am I compromised
Next by Date: Re: Am I compromised
Previous by thread: Re: Am I Compromised -- Some interesting findings
Next by thread: Re: Am I Compromised -- Some interesting findings
Index(es):
- Date
- Thread