Re: [Article] A strangely compromised Linux box

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Lisa Kachold
Date:  
To: stephen.p.rufle, Main PLUG discussion list
Subject: Re: [Article] A strangely compromised Linux box
On Fri, Nov 6, 2009 at 8:08 AM, Stephen P Rufle <>wrote:

> A strangely compromised Linux box
> http://aplawrence.com/Linux/strange-hack.html
>


Hey Steven,

Thanks for that! It's just so amusing -- they never do ANYTHING that is
standard linux administration or security on this!

I.E. Collect exact information and mitigate the threats.

SSH (attack vector) versions, configuration and known exploit mitigation
(keys, protocol 1, forwarding, etc)
crc check against all binary source and cronjobs for veracity
low level file analysis

Mitigation:

IMMEDIATELY the machine must be REBUILT
password management (secure passwords - re-assigned and rotated)
IPTABLE deny and report the source address
IPTABLE dictionary attack - port knocking - brute forcing protection or

OPTIMALLY OpenVPN - (#%*&^%$#)

This was probably a script process that was interrupted before restoring the
/etc/passwd users that was no-doubt unable to find a tool library or a path
for one of the tools it needed to successfully complete.

Serious Laughter!

--
Skype: (623)239-3392
AT&T: (503)754-4452
www.it-clowns.com
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss