Re: Restrict server access

[Mike Bird <mgb-debian@yosemite.net>]

On Monday 16 April 2007 17:07, Will Parkinson wrote:
> Yeah, this sounds like the only safe option i can take at this point, as
> there is private data on the server.  Although, do you have any idea how
> this could have happened? The server is not in house it is hosted by a
> third party, who are also investigating this problem, and he seems to
> think the system has not been hacked.  Reinstalling the system is a good
> option at this point, but if i cant find out where this problem
> originated, i am leaving myself open for this to happen again.

That would depend upon the installed software and the configuration.  You
can save a copy of the compromised system and have someone investigate it.
There are no guarantees but most likely the attack vector can be determined
if the log files are good.

If you want to try yourself, check the modified and creation times of the
spam script you found in /tmp, and then check through all your logs for
unusual activity around that time.  Be sure to do this when the disks
are mounted read-only noexec in another system - you can't tell anything
while you're running in a compromised system.  If the logs don't help,
you can also try searching for any files or directories that were modified
within an hour (or within a day) of the spam script's arrival.  You may
find more exploits and/or clues that way.

Be advised that the original exploit may have been much earlier.  A black
hat may have gained control of the server and later returned to send spam
or simply sold control to a spammer.

As for the person who thinks the server was not hacked, how does he account
for the existence of the spam script in /tmp?

--Mike Bird