Re: Restrict server access

To: Debian Users <debian-user@lists.debian.org>
Subject: Re: Restrict server access
From: Will Parkinson <wil@businessleader.com.au>
Date: Tue, 17 Apr 2007 10:07:34 +1000
Message-id: <[🔎] 46240FC6.6030108@businessleader.com.au>
In-reply-to: <[🔎] 200704152048.22441.mgb-debian@yosemite.net>
References: <[🔎] 4622BD36.30705@businessleader.com.au> <[🔎] 20070415185609.0f949395.raquel@thericehouse.net> <[🔎] 4622E3AC.50001@businessleader.com.au> <[🔎] 200704152048.22441.mgb-debian@yosemite.net>

Mike Bird wrote:

On Sunday 15 April 2007 19:47, Will Parkinson wrote:

No it was our sever that was sending the spam, so there must of been a
script placed on our server by someone else (ie we were hacked or
something)

This is somewhat unusual; relaying is much more common.  I assume you
have carefully checked the spam headers to verify that they originated
on your server and are not forgeries or relays.

The next and urgent step is to shut the server down.  While the server is
potentially or actually compromised, you don't know what the attacker can
do.  For example, the attacker may have a script which (a) hides itself
from ls and ps and (b) notes any passwords you use to access the system
whether remotely or locally and (c) repeatedly attempts to mail them out
at random intervals perhaps days or weeks apart.

Remove the disks from the server, attach them to a known secure system,
and mount them read-only and noexec.  Without booting from them or
executing any programs or scripts on them, verify that they have no
material that should not be there.

If that is impossible or impractical (and it usually is) then copy off
the portion that you can verify is safe - perhaps some email messages
and/or some web pages - and completely wipe the suspect drives.  Then
reinstall Linux and copy only the safe saved data back.

If possible, before wiping the drives, and again without booting or
executing, attempt to determine the attack vector from your logs and
from changed files.  File a bug report if the attack used a previously
unknown vector.

Limiting your firewall to AU IP addresses, even if the attacker can't
circumvent it, is not an option.  You do not know what attacks your
box may be perpetrating against other innocent parties.  If in doubt,
turn it off, consult a good lawyer, and ask him or her if it's OK to
turn it back on.

--Mike Bird

Yeah, this sounds like the only safe option i can take at this point, as there is private data on the server. Although, do you have any idea how this could have happened? The server is not in house it is hosted by a third party, who are also investigating this problem, and he seems to think the system has not been hacked. Reinstalling the system is a good option at this point, but if i cant find out where this problem originated, i am leaving myself open for this to happen again.

Reply to:

Follow-Ups:
- Re: Restrict server access
  - From: Mike Bird <mgb-debian@yosemite.net>

References:
- Restrict server access
  - From: Will Parkinson <wil@businessleader.com.au>
- Re: Restrict server access
  - From: Raquel <raquel@thericehouse.net>
- Re: Restrict server access
  - From: Will Parkinson <wil@businessleader.com.au>
- Re: Restrict server access
  - From: Mike Bird <mgb-debian@yosemite.net>

Prev by Date: [SOLVED] bash prompt won't wrap properly
Next by Date: Re: Restrict server access
Previous by thread: Re: Restrict server access
Next by thread: Re: Restrict server access
Index(es):
- Date
- Thread