[CentOS] Compromised
Josh Donovan
josh.dvan at yahoo.co.uk
Wed Sep 10 08:52:59 UTC 2008
--- On Wed, 10/9/08, Miark <mlist2 at gardnerbusiness.com> wrote:
> From: Miark <mlist2 at gardnerbusiness.com>
> Subject: [CentOS] Compromised
> To: centos at centos.org
> Date: Wednesday, 10 September, 2008, 3:24 AM
> My wife's office server was compromised today. It
> appears
> they ssh'ed in through account pcguest which was set up
> for
> Samba. (I don't remember setting up that account, but
> maybe I
> did.) At any rate, I found a bazillion
> "ftp_scanner" processes
> running. A killall finished them off quickly, I nuked the
> pcguest account, and switched ssh to a different port
> (which
> I normally do anyway).
>
> I used 'find' to locate ftp_scanner, which was
> running in a
> folder under /var/tmp. It seems that before I could nuke
> the
> directory, it nuked itself!
>
> Because it was running from /var/tmp, and because
> 'find' and
> 'ps' were not compromised (in that they did not
> hide the
> ftp_scanner processes or files), I'm thinking the
> attacker
> really didn't get any further than eating some
> bandwidth.
>
> I suppose I have no choice but to re-install, but I thought
> I'd
> run I'd get some feedback first. (Something other than,
> "Way to
> go, moron.") In the meantime, I'm pulling the
> plug.
>
> Miark
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
See http://mirror.centos.org/centos-4/4.6/docs/html/rhel-sg-en-4/ch-exploits.html
Hackers use scanners that use accounts like "test", pcquest etc
A while back I set up a system on VMWare with a blank password for
the "test" account. Unfortunately they did not fall for it. In the
meantime, secure your server.
More information about the CentOS
mailing list