security advice

[Edmund <edmund () belfordhk com>]

Hi,

Just yesterday, I found out that my company's e-mail server had been
compromised.  This fact, for some reasons, didn't seem to be a 'big
deal' to others.  I'm still stunned; but, considering how lax I had
become, it shouldn't be surprising.  *sigh*

[story mode]
Basically, the incident started out with an innocuous "there is
something wrong with sending e-mail" from a co-worker.  I looked
at the e-mail server and everything seemed to be ok, so I decided
to check the firewall.  That's when I noticed it was running
very sluggish.  "Uh oh."

I couldn't figure out which program was making it go slow.  I
thought it was the proxy, but it wasn't.  I rebooted the
firewall.  It was ok, up until a certain point and that's
when it slowed down.  I tcpdump'd one ethernet nic, and
noticed a huge amount of packets being sent to a remote
site from my e-mail server.  (Capital UH OH)

Checking out the |ps ax| I noticed a very suspicious
file "./s <ip#>".  Immediately I knew someone had
accessed the system.  I started to become a little
panicky.  I searched for the './s' file.  Then looking
up online, I found that I could go into the /proc
filesystem and find the pid and then the exe will
be shown.  Found the full path.  Looking at the
files within the folder "/var/tmp/.b", it was
confirmed.

I shouldn't have done what I did next.  I killed
the running program and deleted the folder.  :(
In hindsight, I should have killed the program
and zipped up the darn folder for analysis.
I'm still regretting that move.  *banging head
on table*

Cleaned up a few extra items and it seems normal.
I ran 'rkhunter' and filled out the necessary
warnings it found.

[story mode off]

I'm still very reprimanding myself for being
so careless. This is one lesson that I gotta
have imprinted in my thick skull.

Anyway, given this lesson,  can someone offer
any methodologies/programs that I can use to
protect the company system?   I'm now going
through the firewall rules to find out what
holes the intruder might have entered through.

Thanks.

Ed

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------