Security Breach ?

[Leonard Isham]

On Wed, 2 Mar 2005 18:12:05 -0500, Chris Strzelczyk
<cstrzelczyk at nobletechnology.net> wrote:
> Alright well not it's certain I have a friend on my system.  I have
> found this file named "https" on my
> system in /tmp
> 
> I'm not as PERL savy as I want to be but it does open IRC on the
> server.  The file is owned by apache:apache.  So it
> looks like my friend is using Apache as a tool.  Would anybody have a
> clue on how he could get this in tmp and then run it?
> The file was not set executable either.
> 
[snip]

You have been owned.  You don't know the extent or how the intrusion
happened.  Any ID and password on that system can be considered
compromised.  The system could have been used as a stepping stone to
get to other systems.

The only safe bet is to  save your content (review it to make sure it
was not compromised), and reload the server.  Lock it down including 
limiting the daemons running and secure those.

Change passwords to strong passwords on all accounts on all systems. 
Lock down your perimeter.

This could turn into a book, but this is what I recommend to start with.


Reload and secure your system 
-- 
Leonard Isham, CISSP
Ostendo non ostento.