Re: server compromised?

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Vimal Shah
Date:  
To: Main PLUG discussion list
Subject: Re: server compromised?
Thank you for the advice. The necessary security layer that was missing has
been identified and is being incorporated.

Deploying a server from scratch has been tedious (running each command
manually). Capturing all of these commands into a python script seems
obvious. The python script is slow to develop due to the fact that I'm
trying to learn it and code it at the same time.

Has anyone had any experience with Vagrant? Is it worth the time to
investigate?

Lastly, if anyone is available for some consulting on these matters (server
security and deployment), please contact me.


On Thu, Mar 7, 2013 at 4:25 PM, Paul Mooring <> wrote:

> It's likely that if he left that key in there with a valid e-mail
> address then whoever compromised the server wasn't trying to be discrete.
> I would check my auth logs to see when/if someone was logging in from
> somewhere suspect. Next if the server was compromised, it's done, you can
> never trust it again, no amount of clean up or post-mortem investigation
> can ever give reasonable confidence that there's no back door on it. Move
> the services and data and make a new server/clean install, then look very
> carefully at what attack vector was exploited and close it (like if it was
> brute force you should have ssh for root turned off, more restrictive
> firewall rules and ssh guard).
>
> Having a server compromised can be a huge headache, good luck.
> --
> Paul Mooring
> Systems Engineer and Customer Advocate
>
> www.opscode.com
>
> From: Vimal Shah <>
> Reply-To: Main PLUG discussion list <>
> Date: Thursday, March 7, 2013 4:49 PM
> To: Main PLUG discussion list <>
> Subject: server compromised?
>
> Hello all,
>
> While randomly looking into the .ssh/authorized_keys file, I noticed a
> line that shouldn't have been there. This was concluded based on the last
> portion of the line. This portion was in the form of **,
> where the domain was one of a likely competitor. Does this automatically
> mean that this server has been compromised? The line has been removed.
>
> Thanking everyone in advance.
>
> --
> Vimal
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>




-- 
Vimal (rhymes with Kimmel) Shah
Front-End / Infrastructure Engineer
Sokikom
Mobile: (480) 752-9269
Email:   
Web:    www.sokikom.com


Follow us: twitter.com/sokikom <http://www.twitter.com/sokikom>
Like us: facebook.com/sokikom <http://www.facebook.com/sokikom>
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss