Re: Debian Stable server hacked
Hi, maybe a legitimate user account combined with a local root exploit have been used to crack the server. Does this server has any legitimate user accounts? Are you sure you trust this users? Are you sure they (or you) don't write their passwords on a piece of paper? Who has local access to the server (unprotected LILO/Grub, booting from CDROM (KNOPPIX), mount the hd on another system)? Even if it might be manipulated, you should check the uptime of the system. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Stable server hacked
On Thu, 07 Aug 2003 03:00:12 +0200, Peter Cordes wrote: sshd logs IP addresses of connections. Was the IP address for those did not receive id connections inside your site, or does it belong to an ISP somewhere, or what? If it's a local address, and not a computer lab, that might give you some clues about whose door to knock on... A professional cracker would have cleaned the sshd logs. So you can't really trust this logfile. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Stable server hacked
On Wed, 06 Aug 2003 17:50:06 +0200, Alan James wrote: You say that you have apache and php4 installed. Are you running any php applications that may have been compromised ? Although I'd expect those to leave the attacker with access to www-data rather than root. Maybe this has been combined with a local root exploit. Alan. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Stable server hacked
On Thu, 07 Aug 2003 03:00:12 +0200, Peter Cordes wrote: sshd logs IP addresses of connections. Was the IP address for those did not receive id connections inside your site, or does it belong to an ISP somewhere, or what? If it's a local address, and not a computer lab, that might give you some clues about whose door to knock on... A professional cracker would have cleaned the sshd logs. So you can't really trust this logfile.
Re: Debian Stable server hacked
On Wed, 06 Aug 2003 17:50:06 +0200, Alan James wrote: You say that you have apache and php4 installed. Are you running any php applications that may have been compromised ? Although I'd expect those to leave the attacker with access to www-data rather than root. Maybe this has been combined with a local root exploit. Alan.
Re: Debian Stable server hacked
Hi, maybe a legitimate user account combined with a local root exploit have been used to crack the server. Does this server has any legitimate user accounts? Are you sure you trust this users? Are you sure they (or you) don't write their passwords on a piece of paper? Who has local access to the server (unprotected LILO/Grub, booting from CDROM (KNOPPIX), mount the hd on another system)? Even if it might be manipulated, you should check the uptime of the system.
Re: capabilities
Hello, maybe kernel-patch-ctx (together with some user space utilities included in the vserver package) can help. It gives you the possibility to limit the superuser. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
