[SWLUG] Server exploited
dave at cridland.net
Mon Aug 3 09:21:03 UTC 2009
On Mon Aug 3 04:36:30 2009, James Edgeworth wrote:
> I run a small debian-based server which hosts just a personal page,
> a couple development versions of other sites (and svn, and motion
> detection with webcams). Seems I made a big mistake thinking it was
> secure (against a common attack).
By the sounds of it, one of your users had a dictionary password.
Things like this happen, don't beat yourself up about it. Similarly,
it's often easy to get hit by zero-day (and more than zero-day)
attacks, just because your IP range was targetted quicker than you
> Sorry for the long email - hoping someone has a few pointers/things
> check for in this case?
As Matthew Moore said, some of the rootkits that the kiddies can get
easily are very hard to detect and remove totally - although my bet
would be that in this case, you don't have a rootkit, it's not a bet
I'd put any money on.
If it were my server - and hence under my desk here - then I'd be
willing to spend the time to carefully check it over and remove the
rootkit. I've done so before, when I've been bitten, and contrary to
popular belief, rootkits are not magical, and can be removed.
However, doing so really requires console access, and takes
considerably longer than a simple reinstall. Just make sure that when
you restore the backups, you do not also restore the rootkit...
If you happen to have multiple servers, do consider restricting the
SSH access to only a few IP addresses. Similarly, it's possible to
restrict the addresses to ranges you use, etc. This won't utterly
remove the attack vector, but it's very likely to mean that the
casual attacker won't bother.
If you do have the time and inclination, by the way, then a
straightforward replacement of the server (or its harddisk), and
keeping the rooted machine [image] to clean up as a hobby is quite
interesting, and will teach you a great deal about security in
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at dave.cridland.net
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
More information about the Swlug