[Article] A strangely compromised Linux box
Lisa Kachold
lisakachold at obnosis.com
Fri Nov 6 10:45:26 MST 2009
On Fri, Nov 6, 2009 at 8:08 AM, Stephen P Rufle <stephen.p.rufle at cox.net>wrote:
> A strangely compromised Linux box
> http://aplawrence.com/Linux/strange-hack.html
>
Hey Steven,
Thanks for that! It's just so amusing -- they never do ANYTHING that is
standard linux administration or security on this!
I.E. Collect exact information and mitigate the threats.
SSH (attack vector) versions, configuration and known exploit mitigation
(keys, protocol 1, forwarding, etc)
crc check against all binary source and cronjobs for veracity
low level file analysis
Mitigation:
IMMEDIATELY the machine must be REBUILT
password management (secure passwords - re-assigned and rotated)
IPTABLE deny and report the source address
IPTABLE dictionary attack - port knocking - brute forcing protection or
OPTIMALLY OpenVPN - (#%*&^%$#)
This was probably a script process that was interrupted before restoring the
/etc/passwd users that was no-doubt unable to find a tool library or a path
for one of the tools it needed to successfully complete.
Serious Laughter!
--
Skype: (623)239-3392
AT&T: (503)754-4452
www.it-clowns.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20091106/51ee190e/attachment.htm
More information about the PLUG-discuss
mailing list