I had the pleasure some years ago of a cracker gaining access to a Linux box on my work Network running SME Server. I am a lawyer, not a software professional, though computers have been an enjoyable hobby for me since my late teens, and I have administered our work network and a number of others for some years. I have read this thread with some discomfort. Though I would like to think I am reasonably well informed I am very conscious that there is a great deal I do not know.
The compromise occurred over the Christmas/New Year period when I was interstate. The server had ssh access enabled via password entry and fell victim to a brute force password attack. Fortunately I had software installed which alerted me to the problems. I was particularly fortunate in that I was able to shut down access whilst the cracker was logged-in, and the activities were clearly shown in the log files. I took copies of the logs and shut down the machine, then took it off the network and did a more thorough review on my return to Sydney. Needless to say, even though I was fairly confident that I had traced all of the nefarious activities I did a complete reinstall of the whole system. I also made some substantial changes to the way the network was set up, including ssh access. I learnt some valuable lessons. I was doing quite a few things well, and was thus able to detect the compromise quickly. But I was also doing a number of things wrong, including allowing external ssh login by password. (But I also noted with interest the recent bug in Debian systems when generating keys, which would have made even this method insecure on these boxes). My point is that these things do happen. The server was a private one, and was not hosting any external services other than email and ssh. I still do not know how the attacker located the machine. I presume it was probably through a port scan which may have taken place some time before. It is a big mistake to believe that these problems are limited to Windows machines. If you are running Linux servers particularly you need to take this type of problem very seriously. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
