Re: we were attacked

To: debian-isp@lists.debian.org
Subject: Re: we were attacked
From: Christian Hammers <ch@debian.org>
Date: Fri, 7 Apr 2006 17:41:24 +0200
Message-id: <[🔎] 20060407174124.0ecb8264@xeniac.intern>
In-reply-to: <[🔎] 44367C04.6030609@tau.org.ar>
References: <[🔎] 44367C04.6030609@tau.org.ar>

On 2006-04-07 danilo lujambio wrote:
> in one of our servers with Sarge we are suffering an attack wich put a 
> perl script and two executables in /tmp with owner www-data.
> We couldn't find any data in messages , syslog, apache.log which help 
> us. We have a shorewall with very few ports open (ssh , ftp and web) .
> Can someone help us in how to looking for the source of the attack ?

Another szenario:
It's not uncommon to have FTP configured with the same uid as the webserver
so you might want to check if your FTP maybe gives access to every user
in /etc/passwd. There you maybe have one that had an easy to guess password
(nagios:nagios or admin:admin) which you thought to be safe as you use
ssh's AllowUsers...

bye,

-christian-

Reply to:

References:
- we were attacked
  - From: danilo lujambio <danilo@tau.org.ar>

Prev by Date: Re: we were attacked
Next by Date: Re: we were attacked
Previous by thread: Re: we were attacked
Next by thread: Re: we were attacked
Index(es):
- Date
- Thread