[kwlug-disc] server compromised

Insurance Squared Inc. gcooke at insurancesquared.com
Wed May 13 19:36:40 EDT 2009


So no firm answer is possible, but it sounds like I'm 'probably' safe.  
This was an automated attack, not an individual actively logging on.  I 
guess I'll leave it for now, and work on doing a complete server wipe 
which is long overdue.

Going forward, the only person who ftp's on to my server is this user.  
Everyone else - which consists of myself and my developer - do any 
server stuff from command line linux.  Is there any benefit from my 
forcing my friend to use ssh to access the server instead of ftp?  He's 
on a windows box so he'd have to find some software.  I installed an ftp 
daemon for his benefit and didn't like it at the time.

g.


zixiekat at gmail.com wrote:
> You may want to restrict ftp users by chrooting them. I have done it before with login shells, but it has been a while. 
>
> It won't help with knowing if your system is still at risk, but it could help in the future. 
> ------Original Message------
> From: Chris Frey
> Sender: kwlug-disc-bounces at kwlug.org
> To: KWLUG discussion
> ReplyTo: KWLUG discussion
> Subject: Re: [kwlug-disc] server compromised
> Sent: May 13, 2009 7:21 PM
>
> On Wed, May 13, 2009 at 07:07:29PM -0400, Kyle Spaans wrote:
>   
>> I'm no expert, but I've read some discussions on matters like these and
>> whenever you even _suspect_ that hackers got access to your
>> system, it's safest to nuke the system from orbit.
>>     
>
> I usually agree with that level of paranoia, but if only FTP access was
> possible for this user, then it's down to the security of your FTP server
> software and likely only a data access breech.
>
> If the ftp account was a normal unix user, then (at least according
> to a quick test on my system) that user could download anything on the
> system with world readable rights, but won't be able to change anything.
>
> If shell access was possible, then yes, the number of vulnerabilities
> to check gets a little out of hand: setuid, kernel, etc.  You might
> want to keep a close eye on the server logs and schedule a reinstall
> a little earlier than normal. :-)
>
> - Chris
>
>
> _______________________________________________
> kwlug-disc_kwlug.org mailing list
> kwlug-disc_kwlug.org at kwlug.org
> http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org
>
>
> Sent from my BlackBerry device on the Rogers Wireless Network
> _______________________________________________
> kwlug-disc_kwlug.org mailing list
> kwlug-disc_kwlug.org at kwlug.org
> http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org
>
>   

-- 
Glenn Cooke
Insurance Squared Inc.
www.insurancesquared.com
1-866-779-1499

Agent discussion forum: http://www.americaninsurancebroker.com
Free US broker directory: http://directory.americaninsurancebroker.com
Free Canadian broker directory: http://www.canadianinsurancebroker.com




More information about the kwlug-disc_kwlug.org mailing list