[GLLUG] server attack
Clay Dowling
clay at lazarusid.com
Sun Sep 20 20:37:57 EDT 2009
Eduardo Cesconetto wrote:
> A friend's hosting server is being attacked by somebody using mass.pl
> to change the index.html files in all the user folders, here part of a
> log:
>
>
>
> any ideas on how to stop this?
>
Step one would be to stop running vulnerable services (i.e. all of them)
as root. The attacker has clearly managed to get root privledges.
Nothing exposed to the outside world should be run as root.
The second step is probably to track the attacker back to their source
IP (keeping in mind that they're probably running through another stolen
server or six), then meet them in person to discuss the finer points of
keeping your hands off other people's stuff. The opening gambit is
really a matter of personal choice, and I'll leave it to your friend's
discretion. I myself prefer two and a half feet of ash as a rhetorical
device.
Clay
More information about the linux-user
mailing list