Re: Restrict server access
On Sunday 15 April 2007 19:47, Will Parkinson wrote:
> No it was our sever that was sending the spam, so there must of been a
> script placed on our server by someone else (ie we were hacked or
> something)
This is somewhat unusual; relaying is much more common. I assume you
have carefully checked the spam headers to verify that they originated
on your server and are not forgeries or relays.
The next and urgent step is to shut the server down. While the server is
potentially or actually compromised, you don't know what the attacker can
do. For example, the attacker may have a script which (a) hides itself
from ls and ps and (b) notes any passwords you use to access the system
whether remotely or locally and (c) repeatedly attempts to mail them out
at random intervals perhaps days or weeks apart.
Remove the disks from the server, attach them to a known secure system,
and mount them read-only and noexec. Without booting from them or
executing any programs or scripts on them, verify that they have no
material that should not be there.
If that is impossible or impractical (and it usually is) then copy off
the portion that you can verify is safe - perhaps some email messages
and/or some web pages - and completely wipe the suspect drives. Then
reinstall Linux and copy only the safe saved data back.
If possible, before wiping the drives, and again without booting or
executing, attempt to determine the attack vector from your logs and
from changed files. File a bug report if the attack used a previously
unknown vector.
Limiting your firewall to AU IP addresses, even if the attacker can't
circumvent it, is not an option. You do not know what attacks your
box may be perpetrating against other innocent parties. If in doubt,
turn it off, consult a good lawyer, and ask him or her if it's OK to
turn it back on.
--Mike Bird
Reply to: