Successful SSH Attack - Need help cleaning up

Matthew Frederico mfrederico at gmail.com
Tue Oct 31 09:58:55 MST 2006


On 10/30/06, Daniel <teletautala at gmail.com> wrote:
>
> On 10/27/06, Ryan Simpkins <plug at ryansimpkins.com> wrote:
> > Secondly, and to back up a bit, how do you know that it was via SSH they
> gained
> > access? Is SSH the only service running on your system?


Sorry to interject - A similar event like this happened to me on a
webserver.

What I found was that it wasn't an SSH attack, that it was actually a hole
in a program on the webserver - I think it was phpbb - where they were able
to use a crafted query string because safe mode was off in php and
open-basedir was not only allowing for the web user root path.

So I fixed that, got rid of the programs (which incidentally were sending
phishing spam) and hacked the guy back and got all his tools, lists etc.

At any rate, if you are running php, double-check your settings and make
SURE you turn of the url-fopen wrappers -  Those can cause havoc.  Also
double-check you're running in safe mode, and set open basedir settings in
your apache conf per virtual host.


-- 
-- 
-- Matthew Frederico
http://www.ultrize.com
----------------------------------
Office: (801) 938-4071



More information about the PLUG mailing list