On Friday 25 February 2005 03:56 pm, Brian Densmore
wrote:
> since you apparently had already been hacked prior to
the
> reinstall (evidenced by the rm -rf /), I would wager that
>
your reload from the image you have here is already rooted.
Nope.
Checked that. The image was several weeks old, and while an exploit
may
have been planted, then used at a later date, I think this is
unlikely.
Any traces of the actual cause of the file disappearence was
lost with the
restore. (Personally, I am a bit suspicious that the
primary client may have
screwed something up.)
Having made a full
restore and run for most of a week, hardware failure
dosen't look likely, and
the S.M.A.R.T. utils I subsequently installed don't
indicate it.
>
Of course it could also be that the cracker is watching the
> system and
actively rooting it, so that when you re-installed
> whatever method was
previously used to crack the system was
> used again in short
order.
That is a distinct possibility - not exactly short order, but we
may be on his
list of easy marks. Then again, while there is a certain
amusement to be had
it simply destroying a system, it's not the way most
people spend a lot of
their time. I suppose one of the clients on the
server could have annoyed
someone sufficiently to motivate a repeated
attack.
> So, in either case I think a little research is in order to
determine
> how to keep this particular bad guy out.
Um, yes.
I believe that's implied in my earlier query. In particular, there
is
the kernel update, and I will be looking for further ways to tighten
CGI
security, as well as looking for other clues.
One plan I think is
rather valuable is to simply run the server and watch it
very
carefully.
_______________________________________________
Kclug mailing
list
Kclug@kclug.org
http://kclug.org/mailman/listinfo/kclug