[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Howto trace hack (was: Raq550: SMTP shutting down)

Subject: Re: [cobalt-users] Howto trace hack (was: Raq550: SMTP shutting down)
From: Larry Smith <lesmith@xxxxxxxxx>
Date: Thu Mar 18 16:31:00 2004
Organization: ECSIS
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

On Thursday 18 March 2004 17:52, Crocket wrote:
> Hi,
>
> After the last few mails a couple of hours ago I was unable to reach the
> server (no mails, no ssh, no ftp, only a ping worked).
> So I just got back from the datacenter. Rebooting with the LCD panel wasn't
> possible anymore. So I used the power button to reboot.
> Everything came back online so the first thing we did was to move those
> foreign files somewhere else for further checking.
> /home/tmp is symlinked to /tmp , so I guess they managed to upload their
> stuff through a php upload script one of the sites.
> They ran an undernet ircd and amech (file sharing or something ?). I found
> files of users, their pw and ip in the undernet folders.
> One
> We checked the processes, rebooted, checked if there were new files ,
> checked processes and nothing out of the usual.
> However I would really like to know :
> 1) which vhost/script was used to upload that crap and how can they exec
> tar -zxvf their *.gz files
> 2) Is it possible to run configure, makefile (needed for the undernet
> installation) without shell access (# last didn't show any unusual logins
> and no unusual users in /etc/passwd), e.g through a php script ?
> 3) As long as I don't find the reason , nothing will prevent them to do it
> again. What can I do to prevent this ? Can I send a mail to me every 15min
> with the a list of the contents of /tmp ? Anyone have a quick syntax for
> that please ?
>
> Thanks
> John

The email would solve part of the problem (early notification) but the easy 
way is to disable the compiler - (chmod 444 /usr/bin/gcc) until or unless you 
actually "need" it for something.  Most of us don't often compile things on 
the box (and most pkg come with pre-compiled binaries).  The hackers can get 
there (possibly) but cannot compile and run their scripts with no compiler 
and cannot change it unless they know why the original failed.  I have had 
two attempts that I found in /tmp (/home/tmp) where their "attempt" 
apparently failed since it would not compile - and traced both to customers 
putting php or other cgi on the server that allowed "upload" (both customers 
are gone now)...

-- 
Larry Smith
SysAd ECSIS.NET
sysad@xxxxxxxxx

References:
- RE: [cobalt-users] Howto trace hack (was: Raq550: SMTP shutting down)
  - From: Crocket

Prev by Date: RE: [cobalt-users] Howto trace hack (was: Raq550: SMTP shutting down)
Next by Date: Re: [cobalt-users] Howto trace hack (was: Raq550: SMTP shutting down)
Previous by thread: RE: [cobalt-users] Howto trace hack (was: Raq550: SMTP shutting down)
Next by thread: Re: [cobalt-users] Howto trace hack (was: Raq550: SMTP shutting down)

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index