Folder problem (possible hacking)

Scot L. Harris webid at cfl.rr.com
Wed Nov 10 16:36:02 UTC 2004 

On Wed, 2004-11-10 at 10:49, Franco wrote:

Top posting reordered below.

> Scot L. Harris wrote:
> > On Wed, 2004-11-10 at 10:08, Franco wrote:
> > 
> >>Thanks to every, i have resolved using cd './   /.tmp'
> >>
> > 
> > 
> > So you accessed the directory, but have you reloaded the system from
> > scratch?  If not you are probably still exposed and your system may
> > still be under the control of some one else.  If they take exception to
> > you removing their files they may come back in and wipe your system.
> > 
> > You should disconnect the system from the network immediately and
> > reinstall the OS from scratch.  That is the only sure way of making sure
> > you have control of your server back.
> > 
Hi, my system was restored yesterday and the old hd was slaved.
> So i can access it and see what have happened.
> Hi think that the problem are on any users script that allow exec
> in tmp folder.
> Now i'm trying to resolve this issue.
> For the moment all php script work with safe_mode ON.
> Any suggest?
> 

That is good to hear.  You need to figure out how your system was compromised. 
Make sure the latest patches are applied particularly for all network facing
processes, apache, php, email, etc.

Review your password files and make sure strong passwords are used.

Disable all unused services.

Run iptables and only permit those things through that need access.

Install tripwire immediately after the restore and snapshot your system.  Review
the tripwire reports each night looking for any changes made to your system.

If /tmp is a separate file system (a good idea for a Internet facing system) 
configure it with noexec and nosuid options on the file system.  This will 
prevent someone from executing scripts or programs in that file system.

Review all of your php code for bugs.  Tough to do but if they got in via one
of your php scripts it needs to be done.  Otherwise your clean system is probably 
already owned again.


-- 
Scot L. Harris
webid at cfl.rr.com

A clever prophet makes sure of the event first.

More information about the fedora-list mailing list