[GLLUG] server attack
Eduardo Cesconetto
eduardo at cesconetto.com
Sun Sep 20 20:42:54 EDT 2009
anybody have any idea on how to stop perlwebshell?
http://yola.in-berlin.de/perlwebshell/
On Sep 20, 2009, at 7:37 PM, Clay Dowling wrote:
> Eduardo Cesconetto wrote:
>> A friend's hosting server is being attacked by somebody using
>> mass.pl to change the index.html files in all the user folders,
>> here part of a log:
>>
>>
>>
>> any ideas on how to stop this?
>>
> Step one would be to stop running vulnerable services (i.e. all of
> them) as root. The attacker has clearly managed to get root
> privledges. Nothing exposed to the outside world should be run as
> root.
>
> The second step is probably to track the attacker back to their
> source IP (keeping in mind that they're probably running through
> another stolen server or six), then meet them in person to discuss
> the finer points of keeping your hands off other people's stuff. The
> opening gambit is really a matter of personal choice, and I'll leave
> it to your friend's discretion. I myself prefer two and a half feet
> of ash as a rhetorical device.
>
> Clay
More information about the linux-user
mailing list