Re: Server injection attack
On Monday 09 July 2007 22:14, rocky wrote:
> Thank you very much for your help! Are you meaning someone has been
> controlling our server?
Given that your server is attacking other servers, and assuming you
yourself are not attacking those other servers, then someone else is
running attack software on your server. Whether they have total
control of your server is not something that you can determine while
the server is still running.
> If we are going to reinstall the server, we will need to use the backup
> to restore the websites hosted on our server. Does the back up will make
> the new installation of the server vulnerable?
After the server is powered off and you have found someone knowledgable
and trustworthy, that person will examine the server's hard drives using
a secure system. He or she will neither boot the drives nor execute any
program or script on them, for they are all compromised. He or she will
only read the compromised drives. With luck he or she will be able to
determine the vulnerability, and with luck he or she will be able to
extract your data either from the hard drives or from the backups without
reintroducing the malware.
The server will then be wiped and reinstalled with different passwords
and keys, the vulnerability will be fixed, and the backed up data minus
any malware will be restored. Then the server can be put back online.
You might want to think about which version of Debian was the server
running, which Debian packages were installed, were all relevant
security updates applied, was any non-Debian software installed, and
were any weak passwords used?
While you are waiting for the expert, you could save some time by using
a different and secure system to start googling or otherwise checking
for known security problems with the versions of the software that your
server was running. PHP applications are often at fault, but there are
many other possibilities.
There are no easy solutions. Sorry.