[GLLUG] Fwd: server attack
Eduardo Cesconetto
eduardo at cesconetto.com
Sun Sep 20 20:49:37 EDT 2009
> mass.pl kinda emulates ssh... right?
>
> there is no ssh access to the server other then to the owner's IP..
>
> Apparently mass.pl is being executed from perlwebshell
>
> does this make sense?
>
> On Sep 20, 2009, at 7:37 PM, Clay Dowling wrote:
>
>> Eduardo Cesconetto wrote:
>>> A friend's hosting server is being attacked by somebody using mass.pl
>>> to change the index.html files in all the user folders, here
>>> part of a log:
>>>
>>>
>>>
>>> any ideas on how to stop this?
>>>
>> Step one would be to stop running vulnerable services (i.e. all of
>> them) as root. The attacker has clearly managed to get root
>> privledges. Nothing exposed to the outside world should be run as
>> root.
>>
>> The second step is probably to track the attacker back to their
>> source IP (keeping in mind that they're probably running through
>> another stolen server or six), then meet them in person to discuss
>> the finer points of keeping your hands off other people's stuff.
>> The opening gambit is really a matter of personal choice, and I'll
>> leave it to your friend's discretion. I myself prefer two and a
>> half feet of ash as a rhetorical device.
>>
>> Clay
>
More information about the linux-user
mailing list