On 10/30/06, Daniel <[EMAIL PROTECTED]> wrote:
On 10/27/06, Ryan Simpkins <[EMAIL PROTECTED]> wrote: > Secondly, and to back up a bit, how do you know that it was via SSH they gained > access? Is SSH the only service running on your system?
Sorry to interject - A similar event like this happened to me on a webserver. What I found was that it wasn't an SSH attack, that it was actually a hole in a program on the webserver - I think it was phpbb - where they were able to use a crafted query string because safe mode was off in php and open-basedir was not only allowing for the web user root path. So I fixed that, got rid of the programs (which incidentally were sending phishing spam) and hacked the guy back and got all his tools, lists etc. At any rate, if you are running php, double-check your settings and make SURE you turn of the url-fopen wrappers - Those can cause havoc. Also double-check you're running in safe mode, and set open basedir settings in your apache conf per virtual host. -- -- -- Matthew Frederico http://www.ultrize.com ---------------------------------- Office: (801) 938-4071 /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
