On Sun, 2003-05-25 at 19:04, Jayson Vantuyl wrote: > We've had a number of hacked boxen recently. It appears a certain > person (Romanian we think) is specifically targeting us and our > customers (looks like he hit a machine and found connections from others > in their logs, went from there). > The part that bothers me is that all of these systems were updated to > the newest versions on debian.security.org (if apt-get was doing its > job) and firewalled down to just the ports we needed (22, 25, 53, 80). Did those machines have kernels with the ptrace vulnerability? Did they have interactive users logging in from less secure machines? Recently, a friend of mine also had some compromised Debian machines, attacked from Romania and elsewhere. His personal machine was successfully attacked twice: We didn't make a careful analysis, but it is possible that a Samba vulnerability was exploited for the first attack, since he had not made security updates for a few months. After that he made a fresh install and took proper care of updates from debian.security.org, but... after a few days his machine was compromised again; this time we believe the attack was performed through another machine, running some Mandrake release which was lacking security updates. The main user of this Mandrake system is also a regular user on my friend's machine and somehow the intruder has taken advantage of that for reaching Debian as the "normal" user. The only known vulnerability on my friend's machine at the time was... the kernel with the ptrace vulnerability, which the intruder may have exploited (in fact we found an exploit for that among the intruder's files in the Mandrake machine). Best regards J Esteves
Attachment:
signature.asc
Description: This is a digitally signed message part