I'm gonna wait for Lisa to chime in, and then say, "yeah, what she said" :) On Tue, Feb 16, 2010 at 2:37 PM, JD Austin wrote: > My 2 cents :) > It may be a simple web form exploit or something more serious and they have > no guarantee that it won't be exploited again and again. > I'm not a security expert but used to hang out with hackers back when it > was just starting to be illegal and have a good understanding of how they > think and operate. I'm perfectly capable of doing such things but > thankfully hacking never appealed to me :) Good hackers will patch your > system in ways you would never detect... for that matter you'd never even > know they were there... they won't show up in a process list, you won't find > their files searching for them, they eliminate any trace of themselves in > logs, and you probably won't find their back door unless they're amateur > 'script kiddies'. Fortunately MOST hacker attacks are script kiddies. > You'll usually find traces of their attack in logs and temp folders. > > The 'clean and recover' method will never give you 100% certainty that > you've eliminated the exploit. The machine could have patched binaries all > over the place. I have cleaned up such messes before; it can be very time > consuming. Even if you find how they got in, how can you ever be completely > sure you've stopped them from getting back in without building an new > instance to replace it? > > The safest way to deal with it is to build a hardened server from scratch; > before loading data: > > - change all passwords/etc on the new server > - generate new ssh keys if they exist > - install mod_ssl, intrusion detection, and fail2ban/denyhosts > - re-write applications NOT to use register_globals in PHP and turn it > off > - turn up logging > - migrate the applications/data to it after checking logs for clues of > exploit and fix before migrating. > > The data center can probably give them some information to help them find > where their server was exploited. > > JD > On Tue, Feb 16, 2010 at 1:50 PM, James Finstrom < > jfinstrom@rhinoequipment.com> wrote: > >> Greetings, >> >> Hello all a customer contacted me today and they appear to have a root kit >> or some other software placed on their system that is causing it to act as a >> proxy used in attacks on other servers causing their ISP to kill em. They >> prefer to clean and recover over re-install. There system is Centos 5 but no >> other details are available. If your a security person and would like to >> consult this client Please email me for contact information. >> >> Thanks, >> >> -- >> James Finstrom >> Rhino Equipment Corp. >> http://rhinoequipment.com ~ http://postug.com >> Phone: 1-877-RHINO-T1 ~ FAX: +1 (480) 961-1826 >> Twitter: http://twitter.com/rhinoequipment >> IP: guest@asterisk.rhinoequipment.com >> >> >> >> --------------------------------------------------- >> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us >> To subscribe, unsubscribe, or to change your mail settings: >> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >> > > > > -- > JD Austin > Twin Geckos Technology Services LLC > jd@twingeckos.com > Voice: 480.288.8195x201 > Fax: 480.406.6753 > http://www.twingeckos.com > > "Being powerful is like being a lady. If you have to tell people, you > aren't." - M. Thatcher > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > -- Eric Cope http://cope-et-al.com