on 6-3-2009 1:15 PM Bob Hoffman spake the following:
It would be prudent to review his web code to see if he did something in an insecure way. If his code is open to attack, it will be so even if he puts it on a new machine.
Hence my statements to evaluate the web-apps he has running :)
I will bet dollars to donuts he had a web app with a known issue that was not patched. Also goes back to my previous statement of fully patching.
Dollars to Donuts ehhh??? How many donuts you think it will take to pay for legal costs and clean up if there are customer data on the machine? I think right about now I would:
- Notify Risk Management and Your Compliancy Officer.
- Take it off the network connections.
- Do a live rsync and dd image + ram copy = running processes/hidden.
- Same as 3. but with the machine off.
- The company attorney needs to be notified.
- By State and Federal Law in the US you have so many days
to report incidents like this to users (customers) and law enforcement.
I would say, if he is local to the datacenter, pull the machine. Take it home and analyze what is going on with it. Reinstalling does nothing to keep it from happening as soon as it is back on the net.
The admin must find out what it is. I think we all agree on somethings..
1- disconnect from the internet 2- back up all data 3- virus/trojan scan all data backed up 4 - after figuring out what is happening and how it has happened.... 4a - root kit? Other security programs? Virus/trojan check again. 4c- check all logs of any kind for any sort of key on anything sent out from the server. 5- reinstall, patch, readd data 6- check for issues regarding the original issue.
I think everyone is on the same page but does not know it. I think every single person reading this would love to see not only the resolution but what caused it and any info on preventing it.
Looking at some of the apps he was running, several of them have had vulnerabilities in the past like phpmysqladmin. I see script kiddie runs at that almost every day, along with runs at horde, roundcube webmail, and sql injection and buffer overflow attempts against apache.
Everything on the internet is a target.