[kwlug-disc] server compromised
Insurance Squared Inc.
gcooke at insurancesquared.com
Wed May 13 19:36:40 EDT 2009
So no firm answer is possible, but it sounds like I'm 'probably' safe.
This was an automated attack, not an individual actively logging on. I
guess I'll leave it for now, and work on doing a complete server wipe
which is long overdue.
Going forward, the only person who ftp's on to my server is this user.
Everyone else - which consists of myself and my developer - do any
server stuff from command line linux. Is there any benefit from my
forcing my friend to use ssh to access the server instead of ftp? He's
on a windows box so he'd have to find some software. I installed an ftp
daemon for his benefit and didn't like it at the time.
g.
zixiekat at gmail.com wrote:
> You may want to restrict ftp users by chrooting them. I have done it before with login shells, but it has been a while.
>
> It won't help with knowing if your system is still at risk, but it could help in the future.
> ------Original Message------
> From: Chris Frey
> Sender: kwlug-disc-bounces at kwlug.org
> To: KWLUG discussion
> ReplyTo: KWLUG discussion
> Subject: Re: [kwlug-disc] server compromised
> Sent: May 13, 2009 7:21 PM
>
> On Wed, May 13, 2009 at 07:07:29PM -0400, Kyle Spaans wrote:
>
>> I'm no expert, but I've read some discussions on matters like these and
>> whenever you even _suspect_ that hackers got access to your
>> system, it's safest to nuke the system from orbit.
>>
>
> I usually agree with that level of paranoia, but if only FTP access was
> possible for this user, then it's down to the security of your FTP server
> software and likely only a data access breech.
>
> If the ftp account was a normal unix user, then (at least according
> to a quick test on my system) that user could download anything on the
> system with world readable rights, but won't be able to change anything.
>
> If shell access was possible, then yes, the number of vulnerabilities
> to check gets a little out of hand: setuid, kernel, etc. You might
> want to keep a close eye on the server logs and schedule a reinstall
> a little earlier than normal. :-)
>
> - Chris
>
>
> _______________________________________________
> kwlug-disc_kwlug.org mailing list
> kwlug-disc_kwlug.org at kwlug.org
> http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org
>
>
> Sent from my BlackBerry device on the Rogers Wireless Network
> _______________________________________________
> kwlug-disc_kwlug.org mailing list
> kwlug-disc_kwlug.org at kwlug.org
> http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org
>
>
--
Glenn Cooke
Insurance Squared Inc.
www.insurancesquared.com
1-866-779-1499
Agent discussion forum: http://www.americaninsurancebroker.com
Free US broker directory: http://directory.americaninsurancebroker.com
Free Canadian broker directory: http://www.canadianinsurancebroker.com
More information about the kwlug-disc
mailing list