Re: [tlug] hello from a new / old member

[Scott VanDusen <Scott_VanDusen@example.com>]

Hi everyone,

I've taken the cracked server offline so I cant ssh in from work here and provide exact details of the breakin at this point, but I promise to post that info soon. Short story is it appears that indeed I had insecure php code (I think it may have been from a php based message board), and also apache didn't have the mod_security running. Everyone has been seeing those scans lately for Once they got in, it appears they used apache to get a remote file which was a sendmail hack, then used this brute force to gain root access. But again I havent had time to look into this too extensively so I'm only guessing based on what I found.

The suspicious files appeared in /var/tmp under the classic hidden folders '. /'  written by www-data user. Looking at the content it appeared most of it was to:
 1) replace a lot of the running processes with its own versions 
 2) remote scan other machines and try to replicate itself 
 3) send spam using a ebay suffix which asked people to "update their user information". There was a txt file containing thousands of email addresses it was spamming.
 4) it tried to run an IRC, but the code itself was sloppy, trying to hide itself in the /usr/share/locale/jp directory, but there isnt a jp, only ja so it appears they were indeed targeting Japan..

Again, sorry for the brevity of this analysis, Ill post more this weekend.

As far as cranking down ssh is concerned, I found a useful howto yesterday:
http://non-gnu.uvt.nl/pub/uvt-unix-doc/ssh-harden.txt
interesting points are running sshd on nonstandard ports, using knock to enable the daemon only after receiving a specific sequence of port hits, using keypairs intead of passwordauthentication, using fail2ban etc.

Cheers,
Scott

PS my apologies for the annoying suffix on my email. Corporate gatway auto-appends it and I am but a lowly admin..

**************** CAUTION - Disclaimer *****************
This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. Infosys has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Infosys reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the Infosys e-mail system.
***INFOSYS******** End of Disclaimer ********INFOSYS***