[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SLUG] Recovering From Breakin/Weirdness

To: slug@nospam.slug.org.au
Subject: [SLUG] Recovering From Breakin/Weirdness
From: Chuck Dale <bug@nospam.aphid.net>
Date: Wed, 1 Mar 2000 23:50:47 +1100
Mail-Followup-To: slug@nospam.slug.org.au
Sender: owner-slug@nospam.newtreno.spectrum.com.au

Dear Slug,

Last weekend my web hosting server was unlucky enough to lose its entire
/bin directory. Apache kept running fine, FTP could transfer but not
view files, and SSH wouldn't let anyone in because no bash. 

All I could do (or thought I could do) was go in Monday morning to Zip
where the box is colocated and fix it up directly. First question:

1. Would there have been any way for me to get into my box to replace
the files in /bin remotely? Without bash I really was lost for ideas.
Other than attempting to find a hole in my sendmail configuration..

Anyway, back to Zip.

I was smart enough to *not* leave a floppy drive *or* CD drive in the
box. (Idiot..)  So I took a CD-ROM drive in with me along with tomsrtbt
and a RH6.1 CD. Unfortunately the floppy drive I borrowed didn't work so
I ended up booting from the RH CD and doing an Upgrade (the system was
running 6.0 previously, and I knew this would replace all the important
files). 

Lesson: Always have a rescue disk for your box (blah blah), actually
have a floppy drive *installed* in the machine, and also keep a CD-ROM
drive attached with CD available to reinstall if needed.

With RedHat reinstalled, all the important packages had been replaced
so the system was back to running as normal. Now for the meat of my
questions and seeking advice. 

I really did not have enough clue about what to do in order to track
down the breakin. The files were deleted at 1.50am Saturday morning,
because at that time I proceeded to receive three cron messages every
minute telling me that the scheduled job couldn't run cause no
/bin/bash. Checking the logs now, there is a chunk missing from 11pm
Friday till about 9am Saturday. Mail kept working fine during this time.

2. Could this break in have been through a wu-ftpd vulnerability? I may
have been lax in keeping up to date with the wu-ftpd security updates. I
was probably running 2.5.0 which someone mentioned earlier as having
been a problem.

3. What is a usual plan of attack to check for traces of the attacker?
Presumably the RH upgrade would have replaced trojans with good copies.
I've checked for any suspicious processes but can't seem to find any.
Where else should I look?

Thanks for your time,
Chuck
--
SLUG - Sydney Linux Users Group Mailing List - http://www.slug.org.au
To unsubscribe send email to slug-request@nospam.slug.org.au with
unsubscribe in the text

Prev by Date: [SLUG] Fwd: Where do you want to go today.
Next by Date: [SLUG] "block-major-22 not found"
Prev by thread: RE: [SLUG] Fwd: Where do you want to go today.
Next by thread: [SLUG] "block-major-22 not found"
Index(es):
- Date
- Thread