Re: Am I compromised

To: debian-isp@lists.debian.org
Subject: Re: Am I compromised
From: Ritesh Raj Sarraf <rrs@researchut.com>
Date: Fri, 25 Nov 2005 23:15:10 +0530
Message-id: <[🔎] dm7ijf$7fe$1@sea.gmane.org>
References: <[🔎] dm7c5e$i9j$1@sea.gmane.org> <[🔎] 20051125170235.GS30622@rondom.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark Lijftogt on Friday 25 Nov 2005 22:32 wrote:

> Take a look at /var/lib/tmp and /tmp . Take a good look at your apache
> log files. Remove wget with (apt-get purge wget). Remove any other
> service you don't need.
> 
> Don't just delete everything you can find in these world writable
> locations, but examin them with your logs. Make a report, and inform the
> host of the location where the download came from.
> 
> As soon as your done with that, kill apache, check your usage of the
> bandwith.. and run a -   nmap -sS localhost
> This might give you some usefull information, and lock up the ports your
> server doesn't use by default.. and should use for the service. That
> means inside out and outside in traffic (hence the removal of wget).
> 
> Afterwards, go and check the websites.. and take a good look at what
> software is used, what should be updated, and so on. When you are done
> think about rebuilding your server with the following in mind;
> A default apache install is nice, it works, but isn't all that
> &
> tools are nice to use, but what do you need.. install only that.
> 
> There are a lot of other stuff you can do.. but ey, it all depends on
> what you NEED. I'm not known for beeing paranoid when it comes to
> security.. but I just like to split up the services on diffrent boxes
> when I get the oppertunity.


The cracker opened up a port, 601 on tcp.
So even though I stopped and restarted apache disabling mod_perl, the
problem was repeated.

I'll end up with clean installation as I don't have physical access to the
machines. :-(

Thanks for replying.

Regards,

rrs
- -- 
Ritesh Raj Sarraf
RESEARCHUT -- http://www.researchut.com
Gnupg Key ID: 04F130BC
"Stealing logic from one person is plagiarism, stealing from many is
research."
"Necessity is the mother of invention."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDh02m4Rhi6gTxMLwRAoHpAJ4lB4/AM97qb3Hme0+uv+pZE2NigACdHKfy
OIdvRxlWKomNlyi9Y2PYaZs=
=Catz
-----END PGP SIGNATURE-----

Reply to:

References:
- Am I compromised
  - From: Ritesh Raj Sarraf <rrs@researchut.com>
- Re: Am I compromised
  - From: Mark Lijftogt <mark@rondom.org>

Prev by Date: Re: Am I Compromised -- Some interesting findings
Next by Date: *****VIRUS***** von Ritesh Raj Sarraf <rrs@researchut.com>
Previous by thread: Re: Am I compromised
Next by thread: Re: Am I compromised
Index(es):
- Date
- Thread