On Tue, 9 Sep 2008, Miark wrote:
My wife's office server was compromised today. It appears they ssh'ed in through
ehh? exposed to the public internet? oh my ;)
account pcguest which was set up for Samba. (I don't remember setting up that account, but maybe I did.)
ssh will of course honor 'wrappers'; samba can and should be set to respond only on local networks; iptables can block outbound packets just as well as inbound ones ;)_
I used 'find' to locate ftp_scanner, which was running in a folder under /var/tmp. It seems that before I could nuke the directory, it nuked itself!
Some root kits take matters a bit further and wipe out the partition table, MBR, and more, so that even a reboot will fail
Because it was running from /var/tmp, and because 'find' and 'ps' were not compromised (in that they did not hide the ftp_scanner processes or files), I'm thinking the attacker really didn't get any further than eating some bandwidth.
or that they left a 'present' behind, in hopes you don't wipe and reinstall, and attempt to 'repair' a machine in an unknowable state. ;)
I suppose I have no choice but to re-install, but I thought I'd run I'd get some feedback first. (Something other than, "Way to go, moron.") In the meantime, I'm pulling the plug.
A hard lesson to learn -- I bet you'll remember it. -- Russ herrold _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
