[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: we were attacked

On Sat, Apr 08, 2006 at 03:21:05PM +0200, Marek Podmaka wrote:
> So what it is? People (no, they aren't hackers :) try to use your resources
> for their "actions". These scripts are mainly irc bots waiting for commands
> and can perform actions like googling for other vulnerable servers, doing
> udpflood and so on. So part of the solution is to block port 6667 in
> firewall :) 

I think in most situations it is best to block all outgoing connections and
open those that are necessary. This will make most attacks very difficult.

> Solutions (please contribute if you have any ideas):
> 1) /tmp noexec, better also /var/tmp (not useful if evil executes "perl
> /tmp/.evilscript")

Also /dev/shm.

> 4) use wrapper for emails - I have one which includes special headers to
> mails sent from php, I'm going to modify it to support limits on no. of
> mails sent in timeframe

I hope you share this.

Attachment: signature.asc
Description: Digital signature

Reply to: