[Cialug] Attack troubleshooting?

[Nicolai]

On Mon, Feb 28, 2011 at 10:23:05PM -0600, L. V. Lammert wrote:
> Just had a Centos 5.5 box come under some sort of attack, .. it appeqrs
> that there is something ON the box that was trying to connect to an
> outside IP.

More information would be helpful.  Lots of people are responding
with good ideas, but some of their suggestions are based on guesses
due to lack of specifics.  We could give you better help if you
give us better information.  Without that information it's hard to
give good advice, although I agree with Josh More, that you should
seek third-party help.

We can help you prevent this from happening next time.  For starters:

1. How did you learn of this situation?  What were you doing when you
discovered the issue?  And did you corroberate it in any other way and
if so, how?

2. What IP address and port was the suspect process trying to connect
to?

3. What services does the machine run, including those you think
are unrelated?  Any addons to those services (for example CGI
programs for a webserver or special filtering for a mailserver.)

I agree with David Champion: besides other actions, you should find
out the cause of the suspected compromise.  If you don't it'll probably
happen again.

> I finally got into the box by playing with the firewall

I'd normally agree with Zachary Kotlarek (to check for mundane
explanations), but man, the statement about the firewall raises
eyebrows.  Even if the machine is not compromised, this is something
you should fix.  Can other people gain accoess to the box simply
by playing with the firewall?  (What does "playing with the firewall"
mean, anyway -- are firewall rules accessable via a webpage or
something?)  Were you blocked by the firewall at some point?  What
exactly did you do?

Let us know so we can help,

Nicolai