Unsubscribe

-Original Message- From: Michael Stone [mailto:[EMAIL PROTECTED] Sent: donderdag 21 juli 2005 4:24 To: debian-security-announce@lists.debian.org Subject: [SECURITY] [DSA 763-1] New zlib packages fix buffer overflow -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 -

Help needed - server hacked twice in three days (and I don't think I'm a newbie)

Hi. A server I take care of has been hacked twice in the last three days. It is running Debian GNU/Linux, obviously. I ask you for advice on how this happened, what happened, and what to do to avoid this. The first hack happened on Tuesday, the machine was runnign Debian 3.0 plus patches

Re: Help needed - server hacked twice in three days (and I don't think I'm a newbie)

Hi. On Thursday 21 July 2005 20:31, Andras Got wrote: The users, the ones the machines was hacked, were they existing users on the machine? I don't know which user account got hacked, if this was what has happened. Do you use AllowUsers or AllowGroup? No. I hate to admit I didn't know that

Re: Help needed - server hacked twice in three days (and I don't think I'm a newbie)

Hi, Karsten Dambekalns írta: Hi. On Thursday 21 July 2005 20:31, Andras Got wrote: The users, the ones the machines was hacked, were they existing users on the machine? I don't know which user account got hacked, if this was what has happened. It's important to know whether it's an

Re: Help needed - server hacked twice in three days (and I don't think I'm a newbie)

On Thu, Jul 21, 2005 at 08:17:38PM +0200, Karsten Dambekalns wrote: Now, I find it unlikely to see the same local root exploit in 2.4.18 and 2.6.7. They are both old kernels, compile your own and apply suitable patches. Grsecurity is one, and it doesn't need any particular configuration.

Re: Help needed - server hacked twice in three days (and I don't think I'm a newbie)

Karsten Dambekalns [EMAIL PROTECTED] writes: Hi. On Thursday 21 July 2005 20:31, Andras Got wrote: The users, the ones the machines was hacked, were they existing users on the machine? I don't know which user account got hacked, if this was what has happened. Did you check the last lock?

Re: Help needed - server hacked twice in three days (and I don't think I'm a newbie)

Hi. Thanks for your reply! Another question came up here. Is it really likely to be a SSH brute force break in, or could the attacker have been able to log in some other way? What is currently possible in that respect on a machien that runs ssh, apache, php, exim and nothing else (all as of

Re: Help needed - server hacked twice in three days (and I don't think I'm a newbie)

On Thu, Jul 21, 2005 at 11:49:53PM +0200, Karsten Dambekalns wrote: Another question came up here. Is it really likely to be a SSH brute force break in, or could the attacker have been able to log in some other way? What is currently possible in that respect on a machien that runs ssh,

Re: Help needed - server hacked twice in three days (and I don't think I'm a newbie)

Hi. On Thursday 21 July 2005 22:52, Goswin von Brederlow wrote: I don't know which user account got hacked, if this was what has happened. Did you check the last lock? Maybe the attacker didn't remove the traces there. He ran the mentioned logclean binary, the content of wtmp is not to be

Re: Help needed - server hacked twice in three days (and I don't think I'm a newbie)

Goswin von Brederlow [EMAIL PROTECTED] writes: Karsten Dambekalns [EMAIL PROTECTED] writes: Hi. On Thursday 21 July 2005 20:31, Andras Got wrote: The users, the ones the machines was hacked, were they existing users on the machine? I don't know which user account got hacked, if this was

Re: Help needed - server hacked twice in three days (and I don't think I'm a newbie)

Hi. On Friday 22 July 2005 00:14, Ulf Harnhammar wrote: On Thu, Jul 21, 2005 at 11:49:53PM +0200, Karsten Dambekalns wrote: way? What is currently possible in that respect on a machien that runs ssh, apache, ^^ php,

Re: Help needed - server hacked twice in three days (and I don't think I'm a newbie)

Hi. On Friday 22 July 2005 00:00, Rob Sims wrote: On Thu, Jul 21, 2005 at 11:49:53PM +0200, Karsten Dambekalns wrote: way? What is currently possible in that respect on a machien that runs ssh, apache, php, exim and nothing else (all as of Debian 3.1)? Didn't one of your logs show

last -t lists all entries in wtmp

Hi, For a monitor script I thought I'd use the -t switch of the last command hoping to get only the latest entries from wtmp. Seems there's something wrong there, since it will return all entries in wtmp regardless. Before I submit a bugreport I'd like to know if anyone on the list has noticed

Re: Help needed - server hacked twice in three days (and I don't think I'm a newbie)

In gmane.linux.debian.devel.security, you wrote: Now, I find it unlikely to see the same local root exploit in 2.4.18 and 2.6.7. How did he gain root access? Are you sure it's 2.6.7 and not 2.6.8, the Sarge kernel? Anyway, there are several unfixed local privilege escalation security issues in

Re: Help needed - server hacked twice in three days (and I don't think I'm a newbie)

I don't know what type of php applications you are using with apache, but with php I would recommend to use something like 'modsecurity' for apache, configuring modsecurity to your needs and have apache chrooted. For iptables, something like firehol can help you to setup iptables quickly. --