Re: one of my servers has been compromized

[Chris M <chris () nullroute net>]

You could ch-root your apache process/webserver going forward. This would
effectively stop the malicious process when/if your machine is compromised
via web based vulnerabilities to spread to entire machine.. meaning your
area of investigation is more isolated.

I'd expect if its automatically spread to your box the vuln would be some
sort of exec via PHP or similar -- do you have php/many client sites with
outdated software/forums/message boards/image uploaders/ anything like that
on there? .. or just badly coded bespoke dynamic/cgi scripts generally..

Ps. Did you take a copy of the bot code before you deleted it? :) would
like to see it.

On Mon, Dec 5, 2011 at 12:07 PM, Lucio Crusca <lucio () sulweb org> wrote:

> Ferenc Kovacs wrote:
>
> > ps: "I neverbelieved it could happen to me until it actually happened:
> > they compromizedone of my servers." this is a really bad attitude.
>
> No, it's just common saying. I apply patches, change password regularly,
> move ssh to nonstandard ports, disable remote root access and do all the
> rest I've learnt about security in years of running linux servers, also if
> I
> couldn't believe they would hack my server. I only overlooked a piece of
> unknown-third-party php code. It's just experience that makes you stronger.
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/



-- 
 I’m a hot-wired, heat seeking, warm-hearted cool customer, voice activated
and bio-degradable. I interface with my database, my database is in
cyberspace, so I’m interactive, I’m hyperactive and from time to time I’m
radioactive.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/