Forum Moderators: phranque
We have talked to two other data centers and ISPs in the area and they are seeing the same problem. Anybody else out there experiencing the same? It is getting very frustrating and it is taking us away from other areas of our business.
Could it be connected to this: DDOS attack on internet root server system [webmasterworld.com]?
I have a friend who runs his own server, and he went through the same ordeal a few months ago. Turns out a malicious hacker had planted some extra code in the program tha handles displaying files in FTP, and possibly when doing a Unix directory display as well (i.e. sitting at a directly-connected terminal, not over the 'net). After he restored (or so he thought) his system, the planted code would "phone home" and open up a port for the hacker to use. I noticed that my FTP-directory-view of files was strange, files that were there not showing, others that were not there still showing, stuff like that.
The bottom line is that he had to "wipe" the entire OS and then re-install it in this case.
Like you, I'm not a server admin. So that's all I know about it. You might want to do some web searches and look in forums where such hacks are discussed.
Jim
Read more about the problem here: [proxypass.com...]
Talk to your tech, and see if this is the problem.......
Best regards,
~Danube
We will get a server clean, update Linux, get the firewalls set up, etc. and an hour or so after we get it up and running we find someone messing it up again.
That just doesn't sound right, are you shure it's from the outside?
That just doesn't sound right, are you shure it's from the outside?
Probably exists in the backup files.
First, since it keeps happening over and over, obviously either the exploit code/effect is still on the system (if you haven't wiped the hard drive and reinstalled from scratch) or you simply haven't closed the security hole that's letting the cracker in -- and in he comes again.
How about wiping the hard drive and reinstalling from scratch and applying all updates AND then installing tripwire and maybe other IDS type software too (from CD-ROM of known good software copies -- including patches/RPMs, etc) BEFORE you connect the machine to the network. That way, you may be able to tell what files the cracker is changing thanks to tripwire. That and maybe sending logs to another machine the cracker can't get to? For instance to a logging computer networked/connected to your server that's getting cracked via a printer cable that TCP/IP does not work over...
Second, how about installing a bridging firewall as a front end to your network that will record all packets in or out transparently. That way, the bad guy won't know his packets are being logged for study to see what he's doing.
Third, how about considering either beefing up the hardening scripts or procedures you're following to lock down your servers before you place them on the network -- or maybe also trying another OS like FreeBSD or OpenBSD rather than Linux that may be easier to make and keep secure and updated (i.e. BSD ports system).
Just some topics you might want to discuss with your tech.
Best wishes,
Louis
