> On Sun, 2003-05-25 at 14:04, Jayson Vantuyl wrote: > > We've had a number of hacked boxen recently. It appears a certain > > person (Romanian we think) is specifically targeting us and our > > customers (looks like he hit a machine and found connections from others > > in their logs, went from there). > > > > We have no idea how he's getting in, but we've got his rootkit fairly > > nailed down (he uses a few slightly different ones). > > > > We've caught a few systems as he was breaking in (we have > > .bash_history files and the site he downloads his rootkits from). > > > > The part that bothers me is that all of these systems were updated to > > the newest versions on debian.security.org (if apt-get was doing its > > job) and firewalled down to just the ports we needed (22, 25, 53, 80). > > [snip] I've found that when running a system were the users can put up their web pages.. most insecure. It's virtually impossible to know what each user is running under their web space.. An exploitable version of PHPNuke for example, leading to the web server privs. and from there, who knows. So if you can't think of any service that may have been exploited due to being up to date with security.debian.org maybe think about what users are running under their webspace. That's a bit of a stab in the dark but something I feel admins. overlook (ntoe to self: look at running Apache in chroot jail :-p). So maybe they gained access to a system via something like the above, then found out a common username/password (root, for example) and is able to login to the other machines via SSH - No need to exploit. Some things to think about possibly. Good luck! David. -- .''`. David Ramsden <david@hexstream.eu.org> : :' : http://portal.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system.
Attachment:
pgp1DAc4_e35B.pgp
Description: PGP signature