Under attack!

Anthology of Interest

Sunday, March 5. 2006

Under attack!

A couple of the computers I am responsible for have been attacked in the last few months. The first one was my sister's computer. I enabled the ssh server, but didn't limit it to only my account, and left password authentication on instead of setting it to use keys only. My sister's password was very simple and easy to guess. That machine was running what appeared to be an IRC relay for a day or so until I caught it. I only caught it because they changed my sisters password and she couldn't log on any more, which was kind of suspicious. The auth logs showed what happened pretty clearly, and they made the amateur mistake of deleting .bash_history before logging off, not realizing that bash writes .bash_history after you log off. Since they logged in a couple of times, I only had part of the history, but enough to see what they did.

They other one was this very web server, which served as a spam relay for about 8 hours. The attackers exploited a bug in the web server or one of it's modules, likely PHP, possibly one of the PHP applications, like Drupal, Gallery, or Serendipity. The attackers didn't get root access, but managed to install an executable that ran on port 80 in the place of Apache. The executable received requests and forwarded the to my mail daemon, effectively hijacking it.

I installed the security updates for Apache and all the other stuff packaged by Debian, saved all the logs, archived the stuff that was installed, and rebooted the machine. Apache came back, just as it was. Whew. The log files showed that the attackers were somehow using wget to download stuff, so I removed wget and a bunch of other stuff (like GCC) that isn't needed or wanted on a web server.

I haven't rebuilt either machine yet, contrary to conventional wisdom. I really should. I ran a port scan on my sisters computer from my home computer, and I'm satisfied that there are no stealth processes running there (although they could listen only between 3 and 4 am or something sneaky like that). In fact there, are no processes there at all, since I disabled ssh. I can just drive over to my sisters place now if there is anything that needs fixing.

Posted by Matt Hughes in Computation at 12:28 | Comments (0) | Trackbacks (0)

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
Submitted comments will be subject to moderation before being displayed.
 

Friends with webpages

  • Ryan and Cam Biffard
  • Dave and Brenda Anderson
  • Laurie and Tammy
  • Marli and Walter
  • Tamara

    • Calendar

    Back May '12
    Mon Tue Wed Thu Fri Sat Sun
      1 2 3 4 5 6
    7 8 9 10 11 12 13
    14 15 16 17 18 19 20
    21 22 23 24 25 26 27
    28 29 30 31      

    Quicksearch

    Archives

    May 2012
    April 2012
    March 2012
    Recent...
    Older...

    Things of importance

  • Digital Copyright Canada
  • Canadian Intellectual Property Office
  • Canadian Constitutional Acts or 1867 and 1982
  • Canadian Charter of Rights and Freedoms

    • Categories



    All categories

    Syndicate This Blog

    Top Exits

    gallery.spacemonkeys.ca (8)
    rantastic.spacemonkeys.ca (8)
    spacemonkeys.ca (7)
    imdb.com (6)
    www.boingboing.net (6)
    www.google.ca (6)
    bash.org (5)
    catalogue.calgarypubliclibrary.com (5)
    cinecenta.com (5)
    www.apple.com (5)

    Creative Commons

    Creative Commons License - Some Rights Reserved
    Original content in this work is licensed under a Creative Commons License

    Powered by

    Serendipity PHP Weblog