[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: we were attacked

On Fri, Apr 07, 2006 at 03:34:45PM -0700, Joe Emenaker wrote:

> Say what you will... but we tried everything else that we knew at the 
> time. I actually scanned *every* file on the machine (ie "find / -type f 
> -exec grep -l r0nin {}") for anything containing the various filenames, 
> to no avail. In case it was a problem in the kernel, or Apache, or Perl, 
> or whatever, we regularly used apt to upgrade all of the packages on the 
> system to the latest available, including running the latest kernel.

  Looking in logs for this is pretty good, but I think if you start
 seeing things owned by www-data on pretty-stock installations you
 pretty much must assume that it is an Apache problem.

> Yeah, that probably would have helped. It's funny how, *after* you know 
> what the problem is, you clearly know the steps to take to find it. It's 
> interesting that you didn't mention any of these things to the original 
> poster.

  I've done so before, check the archives.  The same question comes 
 up regularly on this list... and on debian-security.

> But, if I'm going to get labeled as appalling for trying to help the guy 
> out, then, next time, I'll just keep my trap shut and let the dude 
> suffer. In fact, maybe I'll go the whole nine yards and just criticize 
> the other posters who *do* try to help.

  No the appalling part was you having a machine compromised
 resetting it to a "good" state and then letting it get compromised
 again, and again, and again.

  (Actually it wasn't clear how many times you were reinfected from
 your original mail so maybe I read it worse than it actually was.)

  If you don't know how they got in then I have to say it is
 pretty irresponsible to try to erase the problem and leave it
 back out there to get reinfected multiple times.


Attachment: signature.asc
Description: Digital signature

Reply to: