Hello Alexander, On 2/8/12 09:53 , volk@lab127.karelia.ru wrote:
Today I found next things at squeeze. Please help to fix, I've no experience in such tasks. Checking `ifconfig'... INFECTED
I was wondering if we're not losing perspective of what is realistic in a certain situation, especially for people without previous experience in handling such attacks and whose job is not necessarily a full-time system administrator. Sometimes we have other people needing that server back as soon as possible, and a schedule to keep. Spending a few weeks with forensic analysis isn't always an option, when the probability of actually finding anything useful being low.
Your signature mentions you're a senior Java developer/architect - I assume you got a test or production server cracked. My advice is to ask your manager how he perceives the risk of this happening again. If he's ready to invest some money, find a local computer security company which does Linux; they will image the cracked system and analyse it, while you can do a clean reinstall and get on with your normal development activities. If your company isn't prepared to invest any money in this, just reinstall clean and monitor the server in the coming months, looking for unusual things like rootkit warnings or funny things in the logs, to make sure the server wasn't compromised again.
If this is a server used for your Java code, perhaps it would be worth looking into vulnerabilities in your own Java code, or in the JRE. I know there are a lot of enterprise Java apps needing older (not longer supported) versions of the JDK, like 1.4 or so, and Java vulnerabilities are not exactly rare. If someone manages to load his own .class into your app and execute it on the server, root access is just one local priviledge escalation away.
If you do find it was an unpatched vulnerability in Debian, instead of your own code, please contact the Debian security team, so they can fix it - we'll all benefit from it.
Best regards, Laurentiu