On Tue, Jun 2, 2009 at 6:42 PM, Wade Richards <w...@wabyn.net> wrote: > Don't obsess on root access. Any unauthorized use is a problem.
You are right of course. Right after I sent my message saying that "perhaps the machine hasn't been exploited yet" I realised how wrong such a view is. Someone gained access to an area they should not have access to, it has been exploited already. I have been fortunate enough to only be in this situation twice in the last ten years. The first time was due to a weak password, and luckily our attacker only installed an irc bouncer (renamed to "bash" so it wouldn't stand out in a process listing). We could literally get away with not reinstalling the entire machine, because the damage was limited to one user account (yes, we did check for replaced binaries :-) ). The second time was caused by a php hosting control panel, which gave the attackers (Turkish crackers unhappy with that Danish cartoon) the ability to create ftp accounts and deface websites. Once again, the damage was limited and we got away without a full reinstall. It was in this sense that I hoped Johann (a former colleague of mine) might be lucky enough to get away with limited damage. Wait, there was a third time. On a CentOS box, I found a core file in /etc/cron.d. I immediately realised what it was as I had an argument about which kernel versions is affected with someone just the previous week (thread here: http://lists.clug.org.za/pipermail/clug-tech/2006-July/032952.html). In this case, we eventually found that a former employee of the organisation tried several exploits on the machine and left some tell-tale signs behind. In this instance, though it seemed none of the exploits succeeded, we decided to trash the CentOS install and move to Debian :-) In any case, enough about me. Good luck Johann, and I look forward to more information on exactly what happened here. regards, Izak -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
