Re: Compromised

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Yeah pull the network plug first. Then boot up with a knoppix CD to backup your data and/or image the disk, then reload. I'm sure you could do a full audit of the system but reloading is likely much quicker.

A word to the wise on the account pcguest, if it was one you created, set the shell to something like /sbin/nologin. That can help to prevent unauthorized ssh access if you happen to leave a password blank. I'll leave the additional suggestions and heckles to others on the lists.

Miark wrote:
My wife's office server was compromised today. It appears
they ssh'ed in through account pcguest which was set up for
Samba. (I don't remember setting up that account, but maybe I
did.) At any rate, I found a bazillion "ftp_scanner" processes
running. A killall finished them off quickly, I nuked the
pcguest account, and switched ssh to a different port (which I normally do anyway).
I used 'find' to locate ftp_scanner, which was running in a
folder under /var/tmp. It seems that before I could nuke the
directory, it nuked itself!
Because it was running from /var/tmp, and because 'find' and
'ps' were not compromised (in that they did not hide the
ftp_scanner processes or files), I'm thinking the attacker really didn't get any further than eating some bandwidth.
I suppose I have no choice but to re-install, but I thought I'd
run I'd get some feedback first. (Something other than, "Way to
go, moron.") In the meantime, I'm pulling the plug.

Miark
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux