On Sun, May 25, 2003 at 02:35:32PM -0400, Ed McMan wrote: > Sunday, May 25, 2003, 2:04:30 PM, Jayson Vantuyl (Jayson) wrote: > > Jayson> We've had a number of hacked boxen recently. It appears a certain > Jayson> person (Romanian we think) is specifically targeting us and our > Jayson> customers (looks like he hit a machine and found connections from > others > Jayson> in their logs, went from there). > > That's pretty unsettling.. Tell me about it. It's disturbing for me because we are in such a small town (~150k). While that sounds like a lot, we're in backwoods Missouri--where the businesses are low-tech and the owners are really, really cheap (average income per capita is like $15k/yr with 80% of the town living paycheck to paycheck). That makes the computer community pitifully small--and widespread Linux-related badness overly ugly. It's got us spooked enough to get law-enforcement involved.
> Have you tried running snort? If its a known vulnerability it should > be able to pick it up (don't use Debian's.. it's very out of date). > You might want to try scanning your boxes with nessus too (kind of > unlikely that it would find anything, but... (don't use debian version > again)). Not yet. I'll try a non-packaged version. > Have all of the hacked boxes been running a while without a reboot? > Someone discussed that programs running from updated libraries > would still be vulnerable until they were restarted. For instance, if > you havn't restarted ssh or apache (if you're using ssl) since openssl > was upgraded, an openssl exploit would still work. Most were around 30 days (although I shed a tear rebooting the two that were over 400 days!). Jayson
