On Fri, Apr 07, 2006 at 11:41:28PM +0100, Steve Kemp wrote: > On Fri, Apr 07, 2006 at 03:34:45PM -0700, Joe Emenaker wrote: > > But, if I'm going to get labeled as appalling for trying to help the guy > > out, then, next time, I'll just keep my trap shut and let the dude > > suffer. In fact, maybe I'll go the whole nine yards and just criticize > > the other posters who *do* try to help. > No the appalling part was you having a machine compromised > resetting it to a "good" state and then letting it get compromised > again, and again, and again. Problems like this aren't simple to diagnose on webhosting environments. There could be a lot of requests in the logs and there could also be a lot of users whose scripts might have been the cause. I do not think it is reasonable to take more drastic countermeasures immediately if there are no signs of attempts to gain root. On large webhosting systems it is pretty much a normal event that some client ends up with compromised scripts. > If you don't know how they got in then I have to say it is > pretty irresponsible to try to erase the problem and leave it > back out there to get reinfected multiple times. There are no alternatives. If there are processes sending spam, of course they have to be cleaned up as soon as possible and the entrance point has to be found out before it can be closed. A large webhosting environment can't be taken down for reviewing all client code. Stock Debian is not terribly well suited to this kind of environments (only little support for extra security and user separation), but I still do not think this kind of system management is appalling.
Attachment:
signature.asc
Description: Digital signature