compromised Linux box
Shane Hathaway
shane at hathawaymix.org
Thu Apr 12 15:01:58 MDT 2007
Matthew Frederico wrote:
> On 4/12/07, Dallin Jones <squitoey at gmail.com> wrote:
>> I had a server of mine compromised earlier today, and it made me
>> contemplate the measures and steps every one takes to ensure that
>> their box doesn't get compromised and when it does happen, how do you
>> know that it happened? In the meantime, I'll get back to the
>> re-imaging of my server. (Thank goodness for working backups!!!)
>
>
> The best way to know that you've been compromised is when you start getting
> calls from your hosting provider or co-lo facility that people are
> complaining about spam, or your web site has turned into a porn site
> overnight. That's a dead giveaway so I've been told.
Ha ha.
I've had two Linux boxes compromised before. On the first, which was
connected to the Internet via a modem (!), the shell started behaving
strangely. I don't remember what it did exactly, but the root kit that
hit the machine replaced some executables without noticing that the
replacements linked with the wrong libraries. Duh. Then I not only
wiped the machine, I switched distributions.
On the second box, I noticed one day via netstat (which I use often as a
simple network debugging tool) that there was an extra TCP server
running. The process that was apparently listening did not show up in
"ps" or "top". I didn't know why they wouldn't show up, so I
investigated more and found that some executables had been replaced with
a version that hides the root kit, but others had not. I didn't wipe
the machine right away, but I eventually did and switched distributions
again.
Not wanting to be burned again, I'm now using Linux-VServer as a method
of containing break-ins. I have a front-end web server that runs
software with a history of vulnerabilities. I have second server that
handles mail. I have a third server that accepts SSH connections. All
three servers are in a single box. Outside the virtual contexts, there
are cron jobs that back up the virtual servers and run rkhunter every night.
I think the box is fairly safe now, but new vulnerabilities appear
daily, so I watch the advisories on lwn.net. I also plan to set up
remote incremental backups, since my family is starting to store
irreplaceable information on that server.
Shane
More information about the PLUG
mailing list