[CentOS] Compromised
Jason Sutherland
jay at jaysweb.net
Wed Sep 10 03:47:15 UTC 2008
Yeah pull the network plug first. Then boot up with a knoppix CD to
backup your data and/or image the disk, then reload. I'm sure you could
do a full audit of the system but reloading is likely much quicker.
A word to the wise on the account pcguest, if it was one you created,
set the shell to something like /sbin/nologin. That can help to prevent
unauthorized ssh access if you happen to leave a password blank. I'll
leave the additional suggestions and heckles to others on the lists.
Miark wrote:
> My wife's office server was compromised today. It appears
> they ssh'ed in through account pcguest which was set up for
> Samba. (I don't remember setting up that account, but maybe I
> did.) At any rate, I found a bazillion "ftp_scanner" processes
> running. A killall finished them off quickly, I nuked the
> pcguest account, and switched ssh to a different port (which
> I normally do anyway).
>
> I used 'find' to locate ftp_scanner, which was running in a
> folder under /var/tmp. It seems that before I could nuke the
> directory, it nuked itself!
>
> Because it was running from /var/tmp, and because 'find' and
> 'ps' were not compromised (in that they did not hide the
> ftp_scanner processes or files), I'm thinking the attacker
> really didn't get any further than eating some bandwidth.
>
> I suppose I have no choice but to re-install, but I thought I'd
> run I'd get some feedback first. (Something other than, "Way to
> go, moron.") In the meantime, I'm pulling the plug.
>
> Miark
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
More information about the CentOS
mailing list