I'm gonna wait for Lisa to chime in, and then say, "yeah, what she said" :)
On Tue, Feb 16, 2010 at 2:37 PM, JD Austin <
jd@twingeckos.com> wrote:
> My 2 cents :)
> It may be a simple web form exploit or something more serious and they have
> no guarantee that it won't be exploited again and again.
> I'm not a security expert but used to hang out with hackers back when it
> was just starting to be illegal and have a good understanding of how they
> think and operate. I'm perfectly capable of doing such things but
> thankfully hacking never appealed to me :) Good hackers will patch your
> system in ways you would never detect... for that matter you'd never even
> know they were there... they won't show up in a process list, you won't find
> their files searching for them, they eliminate any trace of themselves in
> logs, and you probably won't find their back door unless they're amateur
> 'script kiddies'. Fortunately MOST hacker attacks are script kiddies.
> You'll usually find traces of their attack in logs and temp folders.
>
> The 'clean and recover' method will never give you 100% certainty that
> you've eliminated the exploit. The machine could have patched binaries all
> over the place. I have cleaned up such messes before; it can be very time
> consuming. Even if you find how they got in, how can you ever be completely
> sure you've stopped them from getting back in without building an new
> instance to replace it?
>
> The safest way to deal with it is to build a hardened server from scratch;
> before loading data:
>
> - change all passwords/etc on the new server
> - generate new ssh keys if they exist
> - install mod_ssl, intrusion detection, and fail2ban/denyhosts
> - re-write applications NOT to use register_globals in PHP and turn it
> off
> - turn up logging
> - migrate the applications/data to it after checking logs for clues of
> exploit and fix before migrating.
>
> The data center can probably give them some information to help them find
> where their server was exploited.
>
> JD
> On Tue, Feb 16, 2010 at 1:50 PM, James Finstrom <
> jfinstrom@rhinoequipment.com> wrote:
>
>> Greetings,
>>
>> Hello all a customer contacted me today and they appear to have a root kit
>> or some other software placed on their system that is causing it to act as a
>> proxy used in attacks on other servers causing their ISP to kill em. They
>> prefer to clean and recover over re-install. There system is Centos 5 but no
>> other details are available. If your a security person and would like to
>> consult this client Please email me for contact information.
>>
>> Thanks,
>>
>> --
>> James Finstrom
>> Rhino Equipment Corp.
>> http://rhinoequipment.com ~ http://postug.com
>> Phone: 1-877-RHINO-T1 ~ FAX: +1 (480) 961-1826
>> Twitter: http://twitter.com/rhinoequipment
>> IP: guest@asterisk.rhinoequipment.com
>>
>>
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>
>
>
>
> --
> JD Austin
> Twin Geckos Technology Services LLC
> jd@twingeckos.com
> Voice: 480.288.8195x201
> Fax: 480.406.6753
> http://www.twingeckos.com
>
> "Being powerful is like being a lady. If you have to tell people, you
> aren't." - M. Thatcher<http://feedproxy.google.com/%7Er/randomquotes/%7E3/G2PjcLJ0ONI/>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
--
Eric Cope
http://cope-et-al.com
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)