[CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....

Wed Jun 3 06:31:49 UTC 2009
Ian Forde <ian at duckland.org>

On Wed, 2009-06-03 at 01:57 -0400, JohnS wrote:
> On Wed, 2009-06-03 at 00:46 -0500, John R. Dennison wrote:
> > On Wed, Jun 03, 2009 at 12:30:10AM -0500, Neil Aggarwal wrote:
> > > 
> > > It would be prudent to review his web code to see
> > > if he did something in an insecure way.  If his code
> > > is open to attack, it will be so even if he puts it
> > > on a new machine.
> > 
> > 	Hence my statements to evaluate the web-apps he has running :)
> > 
> > 	I will bet dollars to donuts he had a web app with a known issue
> > 	that was not patched.  Also goes back to my previous statement
> > 	of fully patching.
> > 
> ---
> Dollars to Donuts ehhh???
> How many donuts you think it will take to pay for legal costs and clean
> up if there are customer data on the machine? I think right about now I
> would:
> 1. Notify Risk Management and Your Compliancy Officer.
> 2. Take it off the network connections.
> 3. Do a live rsync and dd image + ram copy = running processes/hidden.
> 4. Same as 3. but with the machine off.
> 5. The company attorney needs to be notified.
> 6. By State and Federal Law in the US you have so many days to report
> incidents like this to users (customers) and law enforcement.

If, by step 4, you mean remove the drive[1], stick it into USB
enclosure, make a copy of it, then stick the original into a plastic bag
in full view of a witness[2] then give it to them, I agree
wholeheartedly[3].  I've been through this before and this is, IMHO[4] a
safer way to operate.

	-I

[1] Assuming no RAID.  If you have RAID, you can go to a separate box
and make a live backup via:
	goodhost# ssh badhost '(cat /dev/sda)' > badhost-sda.ddout
[2] Your manager or corporate counsel will do in this example.  Better
if its both.
[3] This does *NOT* constitute legal advice.  Talk to your corporate
counsel before taking action, as this may constitute a criminal matter.
[4] See [3] above.