[SWLUG] Server exploited

Dave Cridland dave at cridland.net
Mon Aug 3 09:21:03 UTC 2009 

On Mon Aug  3 04:36:30 2009, James Edgeworth wrote:
> I run a small debian-based server which hosts just a personal page,  
> and
> a couple development versions of other sites (and svn, and motion
> detection with webcams). Seems I made a big mistake thinking it was
> secure (against a common attack).

By the sounds of it, one of your users had a dictionary password.  
Things like this happen, don't beat yourself up about it. Similarly,  
it's often easy to get hit by zero-day (and more than zero-day)  
attacks, just because your IP range was targetted quicker than you  
patched.

> Sorry for the long email - hoping someone has a few pointers/things  
> to
> check for in this case?

As Matthew Moore said, some of the rootkits that the kiddies can get  
easily are very hard to detect and remove totally - although my bet  
would be that in this case, you don't have a rootkit, it's not a bet  
I'd put any money on.

If it were my server - and hence under my desk here - then I'd be  
willing to spend the time to carefully check it over and remove the  
rootkit. I've done so before, when I've been bitten, and contrary to  
popular belief, rootkits are not magical, and can be removed.

However, doing so really requires console access, and takes  
considerably longer than a simple reinstall. Just make sure that when  
you restore the backups, you do not also restore the rootkit...

If you happen to have multiple servers, do consider restricting the  
SSH access to only a few IP addresses. Similarly, it's possible to  
restrict the addresses to ranges you use, etc. This won't utterly  
remove the attack vector, but it's very likely to mean that the  
casual attacker won't bother.

If you do have the time and inclination, by the way, then a  
straightforward replacement of the server (or its harddisk), and  
keeping the rooted machine [image] to clean up as a hobby is quite  
interesting, and will teach you a great deal about security in  
general.

Dave.
-- 
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at dave.cridland.net
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade

More information about the Swlug mailing list