One plan I think is rather valuable is to simply run the server and watch it very carefully.
That would make it a honey pot in production. I would advise more active measures (if you have access/control/contact over the network/firewalls).
Ron
________________________________
From: [email protected] on behalf of Jonathan Hutchins Sent: Fri 2/25/2005 5:19 PM To: [email protected] Subject: Re: Server Saga
On Friday 25 February 2005 03:56 pm, Brian Densmore wrote:
since you apparently had already been hacked prior to the reinstall (evidenced by the rm -rf /), I would wager that your reload from the image you have here is already rooted.
Nope. Checked that. The image was several weeks old, and while an exploit may have been planted, then used at a later date, I think this is unlikely. Any traces of the actual cause of the file disappearence was lost with the restore. (Personally, I am a bit suspicious that the primary client may have screwed something up.)
Having made a full restore and run for most of a week, hardware failure dosen't look likely, and the S.M.A.R.T. utils I subsequently installed don't indicate it.
Of course it could also be that the cracker is watching the system and actively rooting it, so that when you re-installed whatever method was previously used to crack the system was used again in short order.
That is a distinct possibility - not exactly short order, but we may be on his list of easy marks. Then again, while there is a certain amusement to be had it simply destroying a system, it's not the way most people spend a lot of their time. I suppose one of the clients on the server could have annoyed someone sufficiently to motivate a repeated attack.
So, in either case I think a little research is in order to determine how to keep this particular bad guy out.
Um, yes. I believe that's implied in my earlier query. In particular, there is the kernel update, and I will be looking for further ways to tighten CGI security, as well as looking for other clues.
One plan I think is rather valuable is to simply run the server and watch it very carefully. _______________________________________________ Kclug mailing list [email protected] http://kclug.org/mailman/listinfo/kclug
On Friday 25 February 2005 05:22 pm, Geoffrion, Ron P [ITS] wrote:
One plan I think is rather valuable is to simply run the server and watch it very carefully.
That would make it a honey pot in production. I would advise more active measures (if you have access/control/contact over the network/firewalls).
I'm open to suggestions; I certainly didn't imply that was the _only_ thing I'd be doing. I do need to maintain the server in production; I do not control the firewalls but they are well managed.
It does look like a lot of the perl changes were the results of CPAN updates - having re-run the updates, I see the same changes.
Jonathan Hutchins wrote:
On Friday 25 February 2005 05:22 pm, Geoffrion, Ron P [ITS] wrote:
One plan I think is rather valuable is to simply run the server and watch it very carefully.
That would make it a honey pot in production. I would advise more active measures (if you have access/control/contact over the network/firewalls).
I'm open to suggestions; I certainly didn't imply that was the _only_ thing I'd be doing. I do need to maintain the server in production; I do not control the firewalls but they are well managed.
A degree of "active measures" I'd love to see someday would be trace methods. Sadly most of the miscreants playing these games have some degree of spoof or relay insulating them from their just rewards. But were some truly gruesome and public examples made of those who cause us such effort ? I do NOT advocate mere crude violence. Despite how good it would feel.
Yet surely after we identify a culprit beyond reasonable doubt some creative fate could intervene in their lives no? Example being a return to Ban listing or Meidung. Literally put- do these exploits- get caught- and hell will freeze before any honorable person will acknowledge your existence . Game over. Full Stop . A complete shunning where the less polite will literally spit on such a wretch Perhaps a social hierarchy placing such keyboard vandals as less desirable neighbors than child molesters?
The only true ends to these Zeno races of exploit and counter exploit either will be software evolution or social evolution .
Or we revert to violence and mangle the keyboard fingers of any malware authors before telling them that no pain medication is in the future either . SIGH- we can dream eh ? Because it's no longer "Cute" or "Funny" . These exploits are making our lives harder so returning the favor seems more than fair to me.
DO note my acknowledgment that there IS a difference between public notification of an exploit weakness and someone actually using an exploit for malice. Open Source is stronger for our legitimate testing of weakness. Being told of a security hole is a good thing. Provided it's not abused. Nothing excuses abusing innocent people's data for any reason.
Oren
"Think of it as Evolution in Action"
-
Geoffrion, Ron P [ITS] -
Jonathan Hutchins -
Oren Beck