Need a consultant

JD Austin jd at twingeckos.com
Tue Feb 16 14:37:46 MST 2010 

My 2 cents :)
It may be a simple web form exploit or something more serious and they have
no guarantee that it won't be exploited again and again.
I'm not a security expert but used to hang out with hackers back when it was
just starting to be illegal and have a good understanding of how they think
and operate.  I'm perfectly capable of doing such things but thankfully
hacking never appealed to me :)  Good hackers will patch your system in ways
you would never detect... for that matter you'd never even know they were
there... they won't show up in a process list, you won't find their files
searching for them, they  eliminate any trace of themselves in logs, and you
probably won't find their back door unless they're amateur 'script
kiddies'.  Fortunately MOST hacker attacks are script kiddies.  You'll
usually find traces of their attack in logs and temp folders.

The 'clean and recover' method will never give you 100% certainty that
you've eliminated the exploit.  The machine could have patched binaries all
over the place.  I have cleaned up such messes before; it can be very time
consuming.  Even if you find how they got in, how can you ever be completely
sure you've stopped them from getting back in without building an new
instance to replace it?

The safest way to deal with it is to build a hardened server from scratch;
before loading data:

   - change all passwords/etc on the new server
   - generate new ssh keys if they exist
   - install mod_ssl, intrusion detection, and fail2ban/denyhosts
   - re-write applications NOT to use register_globals in PHP and turn it
   off
   - turn up logging
   - migrate the applications/data to it  after checking logs for clues of
   exploit and fix before migrating.

The data center can probably give them some information to help them find
where their server was exploited.

JD
On Tue, Feb 16, 2010 at 1:50 PM, James Finstrom <
jfinstrom at rhinoequipment.com> wrote:

> Greetings,
>
> Hello all a customer contacted me today and they appear to have a root kit
> or some other software placed on their system that is causing it to act as a
> proxy used in attacks on other servers causing their ISP to kill em. They
> prefer to clean and recover over re-install. There system is Centos 5 but no
> other details are available. If your a security person and would like to
> consult this client Please email me for contact information.
>
> Thanks,
>
> --
> James Finstrom
> Rhino Equipment Corp.
> http://rhinoequipment.com ~ http://postug.com
> Phone: 1-877-RHINO-T1 ~ FAX: +1 (480) 961-1826
> Twitter: http://twitter.com/rhinoequipment
> IP: guest at asterisk.rhinoequipment.com
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>



-- 
JD Austin
Twin Geckos Technology Services LLC
jd at twingeckos.com
Voice: 480.288.8195x201
Fax: 480.406.6753
http://www.twingeckos.com

"Being powerful is like being a lady. If you have to tell people, you
aren't." - M. Thatcher<http://feedproxy.google.com/%7Er/randomquotes/%7E3/G2PjcLJ0ONI/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20100216/4f6b3bbd/attachment.htm

More information about the PLUG-discuss mailing list