R P Herrold
herrold at owlriver.com
Wed Sep 10 03:44:27 UTC 2008
On Tue, 9 Sep 2008, Miark wrote:
> My wife's office server was compromised today. It appears
> they ssh'ed in through
ehh? exposed to the public internet? oh my ;)
> account pcguest which was set up for Samba. (I don't
> remember setting up that account, but maybe I did.)
ssh will of course honor 'wrappers'; samba can and should be
set to respond only on local networks; iptables can block
outbound packets just as well as inbound ones ;)_
> I used 'find' to locate ftp_scanner, which was running in a
> folder under /var/tmp. It seems that before I could nuke the
> directory, it nuked itself!
Some root kits take matters a bit further and wipe out the
partition table, MBR, and more, so that even a reboot will
> Because it was running from /var/tmp, and because 'find' and
> 'ps' were not compromised (in that they did not hide the
> ftp_scanner processes or files), I'm thinking the attacker
> really didn't get any further than eating some bandwidth.
or that they left a 'present' behind, in hopes you don't wipe
and reinstall, and attempt to 'repair' a machine in an
unknowable state. ;)
> I suppose I have no choice but to re-install, but I thought I'd
> run I'd get some feedback first. (Something other than, "Way to
> go, moron.") In the meantime, I'm pulling the plug.
A hard lesson to learn -- I bet you'll remember it.
-- Russ herrold
More information about the CentOS