Top-posting... but please forgive.
The box is a very recently updated "stable" box... virtually every other date apt-get is update/upgrade. The box is setup very secure... the usual things were done... like ensuring no unused services are running and things like that. So does that mean "stable" is actually vulnerable to something we all don't know about??? ----- Original Message ----- From: "Russell Coker" <[EMAIL PROTECTED]> To: "Jason Lim" <[EMAIL PROTECTED]>; <debian-isp@lists.debian.org> Sent: Sunday, 29 June, 2003 1:49 PM Subject: Re: Server hacked - next...? On Sun, 29 Jun 2003 15:00, Jason Lim wrote: > One of our servers was hacked (woody)... badly, from what I can see. A >From the ps output it appears that the hack originated from the web server or a CGI-BIN script it ran. As they ran modprobe I guess they got root. :( The recommended method is to backup configuration files and data and reinstall the machine from scratch. Fighting off a hacker who is already in your machine as root is difficult. Doing it properly is more difficult than preventing them cracking your machine in the first place. Best to reinstall. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
