Full Disclosure mailing list archives
Re: one of my servers has been compromized
From: Chris M <chris () nullroute net>
Date: Mon, 5 Dec 2011 12:30:48 +0000
You could ch-root your apache process/webserver going forward. This would effectively stop the malicious process when/if your machine is compromised via web based vulnerabilities to spread to entire machine.. meaning your area of investigation is more isolated. I'd expect if its automatically spread to your box the vuln would be some sort of exec via PHP or similar -- do you have php/many client sites with outdated software/forums/message boards/image uploaders/ anything like that on there? .. or just badly coded bespoke dynamic/cgi scripts generally.. Ps. Did you take a copy of the bot code before you deleted it? :) would like to see it. On Mon, Dec 5, 2011 at 12:07 PM, Lucio Crusca <lucio () sulweb org> wrote:
Ferenc Kovacs wrote:ps: "I neverbelieved it could happen to me until it actually happened: they compromizedone of my servers." this is a really bad attitude.No, it's just common saying. I apply patches, change password regularly, move ssh to nonstandard ports, disable remote root access and do all the rest I've learnt about security in years of running linux servers, also if I couldn't believe they would hack my server. I only overlooked a piece of unknown-third-party php code. It's just experience that makes you stronger. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- I’m a hot-wired, heat seeking, warm-hearted cool customer, voice activated and bio-degradable. I interface with my database, my database is in cyberspace, so I’m interactive, I’m hyperactive and from time to time I’m radioactive.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: one of my servers has been compromized, (continued)
- Re: one of my servers has been compromized Paul Schmehl (Dec 06)
- Re: one of my servers has been compromized Charles Morris (Dec 06)
- Re: one of my servers has been compromized Gage Bystrom (Dec 06)
- Re: one of my servers has been compromized Paul Schmehl (Dec 07)
- Re: one of my servers has been compromized Gage Bystrom (Dec 07)
- Re: one of my servers has been compromized Paul Schmehl (Dec 07)
- Re: one of my servers has been compromized Gage Bystrom (Dec 07)
- Re: one of my servers has been compromized Charles Morris (Dec 06)
- Re: one of my servers has been compromized Lucio Crusca (Dec 05)
- Re: one of my servers has been compromized Chris M (Dec 05)
- Re: one of my servers has been compromized Christophe Garault (Dec 05)
- Re: one of my servers has been compromized Paul Schmehl (Dec 05)
- Re: one of my servers has been compromized Larry W. Cashdollar (Dec 05)
- Re: one of my servers has been compromized Larry W. Cashdollar (Dec 05)
- Re: one of my servers has been compromized John Jacobs (Dec 05)
- Re: one of my servers has been compromized James Condron (Dec 05)
- Re: one of my servers has been compromized John Jacobs (Dec 05)
- Re: one of my servers has been compromized Lucio Crusca (Dec 05)