[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ProgSoc] I have just been hacked :(



On Wednesday 31 May 2006 1:09 pm, Peter Nguyen wrote:
 ] my home webserver has just been hacked, and I'm looking to find out
 ] how my security was compromised and by passed.

 Be careful when posting questions like this, or when ringing
 helpdesks etc, to not bother people with spurious details, such as
 what operating system or what web server you're using.

 People like a challenge.

 ] No malcious damage was done, 

 That's a big call to make.  The only *observable* change made was
 an index.html, but that doesn't mean it was the *only* change.

 In general terms, once a machine has been compromised, it can never
 be trusted again, and should be rebuilt from known sources.

 In specific terms, and I'm assuming you're running some variant of
 GNU/Linux here, you're too late (to work out what has been changed).

 In future, you may wish to install something like tripwire, which
 is one of the few ways of being able to say with some degree of
 confidence that certain files have been modified, and other files
 have not.  If you have another machine on your network, sending logs
 from your web server to that box makes sense, too.

 In something between specific and general terms, who owns the
 content of your www root directory?  Ie, what level of access was
 breached by the ne'er-do-well?  If it was root, then refer back to
 the general terms (above).  If it was a non-privileged user, then
 you could have slightly more confidence in the box's integrity.

 I'm assuming that you recorded the owner and modification time
 of the index.html that was left for you?

 You can cross reference that time with information from your login
 records (man last).  Again, if root was compromised, then you
 can not trust the integrity of any file, including logs, kept on this
 box.  You can also look at your web logs for that time -- and this
 is going to be especially relevant if you have some poorly written
 POST or cgi apps.  This in turn becomes particularly relevant if
 the index.html is owned by the same process that runs the web server
 and/or your cgi apps.

 ] what steps could you guys suggest to me to beef up security and minimise
 ] further attacks?

 Install tripwire.
 Run some variety of (N)IDS.
 Run your web server in a virtual machine (Zen or VMware server).
 Redirect logs to separate, or parent, host.
 Keep your system up to date with the latest patches.
 Harden your firewall (minimise all access to all things).

 Jedd.

-
You are subscribed to the progsoc mailing list. To unsubscribe, send a
message containing "unsubscribe" to progsoc-request@xxxxxxxxxxxxxxxxxxx
If you are having trouble, ask owner-progsoc@xxxxxxxxxxxxxxxxxx for help.