ACK! -- CONTINUED
Dustin Decker
dustind at moon-lite.com
Sun Apr 20 14:50:15 CDT 2003
On Sat, 19 Apr 2003, Bradley Miller wrote:
> Actually discovered it purely by accident. I have one server that is
> bouncing up and down, why I don't know. I decided to restore my database
> backup onto one of my other servers and start running it as my secondary
> server in the interim. While there I accidently hit the down arrow to
> recall a previous command, and saw a peculiar instruction. I looked in the
> bash history file and sure enough, I found the intruder. They installed a
> "toolz" file to compromise the system and then a "clean me up" script to
> remove all traces of their activity. Unfortunately for them, and
> fortunately for me, I could see where they were keying the server to
> respond to with all the info.
OK - here's more bad news for you. I get the impression having the server
co-located like it is you are providing services for down range clients
and the like. Make sure that when you re-install and all the other
painful stuff, that you communicate with anyone who had usernames and
passwords on the compromised system.
Those passwords (and I would suggest usernames too) can never be used
again. Your script kiddies undoubtedly have a copy of your passwd file
and the like.
Long story short - it's quite rare to have a root level compromise occur
in which there isn't a great deal of fallout.
D.
--
o-----------------------------------o
| Dustin Decker - CNA, MCP |
| dustin at dustindecker.com o-------------------------------------o
| Network Engineer | "And it should be the law: If you |
| Preferred Physicians Group | use the word `paradigm' without |
o-------------------------------| knowing what the dictionary says |
| it means, you go to jail. No |
| exceptions." |
| -- David Jones |
o-------------------------------------o
More information about the Kclug
mailing list