On Tue, 9 Sep 2008, Miark wrote: > My wife's office server was compromised today. It appears > they ssh'ed in through ehh? exposed to the public internet? oh my ;) > account pcguest which was set up for Samba. (I don't > remember setting up that account, but maybe I did.) ssh will of course honor 'wrappers'; samba can and should be set to respond only on local networks; iptables can block outbound packets just as well as inbound ones ;)_ > I used 'find' to locate ftp_scanner, which was running in a > folder under /var/tmp. It seems that before I could nuke the > directory, it nuked itself! Some root kits take matters a bit further and wipe out the partition table, MBR, and more, so that even a reboot will fail > Because it was running from /var/tmp, and because 'find' and > 'ps' were not compromised (in that they did not hide the > ftp_scanner processes or files), I'm thinking the attacker > really didn't get any further than eating some bandwidth. or that they left a 'present' behind, in hopes you don't wipe and reinstall, and attempt to 'repair' a machine in an unknowable state. ;) > I suppose I have no choice but to re-install, but I thought I'd > run I'd get some feedback first. (Something other than, "Way to > go, moron.") In the meantime, I'm pulling the plug. A hard lesson to learn -- I bet you'll remember it. -- Russ herrold