[Tfug] Server Compromise

Chris Hill ubergeek at ubergeek.tv
Fri Sep 28 10:50:20 MST 2007


So first off:

I'm not looking for a quick solution, but just ideas that may help me 
figure out the attack vector so that I may more thoroughly fix the 
problem. Thanks to ALL, for their input, regardless of whether it was 
trolling or genuinely helpful. I just want ideas, and its been helpful. 
Also Ron, your ideas are very sound, but see below, I don't think it was 
a web-based php/perl attack after all.

So today I logged in to another server, and found that the attackers 
have gotten ahold of that server too (no priv escalation tho). So what 
does that mean? Well, it means that it is *very* probable the attackers 
are the same people who broke in before and hosed our mail server. The 
attack vector there was a keylogger on a coworker's machine, so I don't 
think this attack is at all *nix specific.

This also means that the access vector is most likely ssh-specific. So 
we've shut off ssh from external networks and this should really fix the 
issue. Its kind of shifting my attitude about security from 'hardening' 
to 'internal access only'. Because regardless of how tough your server 
is, you're just better off limiting access to your place of 
work/home/etc through hosts.allow or other methods.


C




More information about the tfug mailing list