[Cialug] CentOS Security

Matthew Nuzum newz at bearfruit.org
Wed Mar 2 12:12:27 CST 2011


On Wed, Mar 2, 2011 at 10:33 AM, Paul Gray <gray at cs.uni.edu> wrote:

> On 03/02/2011 10:20 AM, L. V. Lammert wrote:
>
>> We had a web server (the only services exposed are a few web server &
>> php, .. not even any ssl or sensitive data) go bonkers a few days ago,
>> .. it appeared to be running some sort of attack code generating a
>> humongous amount of outbound traffic on port 80 to a server in Romania.
>> After finally getting a login I could find nothing unusual, and, upon
>> rebooting, I could find not locate any trace of a login on the box nor
>> any unusual changed files.
>>
>> Two questions:
>>
>> * Is it possible that the vector was a php attack that was memory
>> resident (and cleared on reboot)?
>>
>
> It's likely that the attack vector was planted in a writeable directory,
> and that it's only a matter of time before an .ru IP address calls it up
> again.  Never trust a compromised system, reboots never fix the crux of the
> issue: how did they root the box in the first place?
>
>
Or it was in /tmp and your system wipes that on reboot.


> Take it offline and rebuild.
>
>
Sad, but this is probably necessary.

At work our systems block all outgoing traffic on port 80 except whitelisted
sites. It's annoying but it does help.

-- 
Matthew Nuzum
newz2000 on freenode, skype, linkedin, identi.ca and twitter

"An investment in knowledge pays the best interest." -Benjamin Franklin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cialug.org/pipermail/cialug/attachments/20110302/ce058f70/attachment.html>


More information about the Cialug mailing list