[CentOS] Compromised

Wed Sep 10 03:44:27 UTC 2008
R P Herrold <herrold at owlriver.com>

On Tue, 9 Sep 2008, Miark wrote:

> My wife's office server was compromised today. It appears
> they ssh'ed in through

ehh?  exposed to the public internet?  oh my  ;)

> account pcguest which was set up for Samba. (I don't 
> remember setting up that account, but maybe I did.)

ssh will of course honor 'wrappers'; samba can and should be 
set to respond only on local networks; iptables can block 
outbound packets just as well as inbound ones  ;)_

> I used 'find' to locate ftp_scanner, which was running in a
> folder under /var/tmp. It seems that before I could nuke the
> directory, it nuked itself!

Some root kits take matters a bit further and wipe out the 
partition table, MBR, and more, so that even a reboot will 
fail

> Because it was running from /var/tmp, and because 'find' and
> 'ps' were not compromised (in that they did not hide the
> ftp_scanner processes or files), I'm thinking the attacker
> really didn't get any further than eating some bandwidth.

or that they left a 'present' behind, in hopes you don't wipe 
and reinstall, and attempt to 'repair' a machine in an 
unknowable state.  ;)

> I suppose I have no choice but to re-install, but I thought I'd
> run I'd get some feedback first. (Something other than, "Way to
> go, moron.") In the meantime, I'm pulling the plug.

A hard lesson to learn -- I bet you'll remember it.

-- Russ herrold