[Scottish] Security breach

Colin McKinnon colin.mckinnon at ntlworld.com
Mon Jul 4 23:20:55 UTC 2011 

On Monday 04 July 2011 10:14:55 am John Gordon Ollason wrote:
> Greetings,
>
> I received e-mail from the ISP that hosts my websites that my shell
> account had been used in a security breach. I have had a superificial
> check of my files, and can't find anything altered. What checks ought I to
> do to insure the integrity of my files? And what harm could my websites do
> if something nasty has been left behind?
>

Hi John O.

Scary. When a security breach happens you'll generally get the same advice 
anywhere. Format your harddisk, reinstall from source media then deploy your 
bespoke code / data from backups. Meanwhile try to identify how the system 
was compromised and plug the holes. However if you're using a shared host 
(i.e. don't have root access) that's far from trivial. In an ideal world 
you'd get an image of the system to analyse offline to investigate what 
happenned - one of the reasons for needing root access.

Are you using off-the-shelf third party code on your site (e.g. a CMS). If so, 
which one? Have you checked for known vulnerabilities? Are we talking about 
the website matching your email address?

> what harm could my websites do
> if something nasty has been left behind?

It could just be sending out some spam - or you might be hosting a phishing 
site which costs e victims thousands of pounds every time someone visits it. 
Or it could be getting used as a proxy for controlling a bot army. So 
anything between very little and quite a lot - you might consider pointing 
your DNS elsewhere till you've got some confidence in identifying what's 
happenned here (you did ensure that you bought your DNS registraton seperate 
from your hosting?).

Your ISPs assertion that the shell was compromised suggests that the attackers 
probably did not gain access via vulnerabilities in your website (which is 
how most attacks start). Can your ISP show that the access was via ssh? If 
not can they say with confidence that it was not via ssh? Were other accounts 
on the system compromised?

An important question you'll have to visit very soon is how much is your 
website worth to you? And how much are you willing to spend to get it back on 
line? Do you want to continue using the same hosting company?

Thre's going to be a lot of work involved in getting your site back - this 
reply barely scratches the surface. There are lots of very capable IT people 
here on the list - depending on what you use you website for / whether you 
think it worth paying someone to get the service restored, they may be able 
to provide more specific support.

HTH

C.

More information about the Scottish mailing list