Re: [PLUG] Hacked server

Brett.Yeagley on 23 Feb 2012 15:52:50 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Hacked server - recovery

From: <Brett.Yeagley@bentley.com>
To: <plug@lists.phillylinux.org>
Subject: Re: [PLUG] Hacked server - recovery
Date: Thu, 23 Feb 2012 23:52:42 +0000
Accept-language: en-US
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: plug-bounces@lists.phillylinux.org
Thread-index: AQHM8oY7+V3HJj0ZSUOd+iVj3qCW3g==
Thread-topic: [PLUG] Hacked server - recovery

Is this a physical box or a VM? If a VM I would get a snapshot or create a template after you are "clean" again. This way you can get back to a clean system quickly in the future. Of course the question then is figuring out they got in originally because the weakness would obviously still be there.
If it's a physical box, I'd highly recommend thinking about virtualizing so have the increased flexibility!

From: Tom Haines [mailto:hainest@gmail.com]
Sent: Thursday, February 23, 2012 11:42 PM
To: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Subject: [PLUG] Hacked server - recovery

You definitely want to run something like rkhunter to see what happened. My policy has always been to wipe the box and rebuild completely from backups. It's not worth risking that rkhunter missed something.

On Thursday, February 23, 2012, Eric at Lucii.org wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm trying to recover an Ubuntu-based web server that was hacked.
It was/is running a 2.x version of OpenRealty that contains more
vulnerabilities than I could imagine.

The hacker used it to send spam (no surprise.) I was in a hurry
so to stop it I just did apt-get remove postfix. That worked in
the same way that decapitation cures a headache.

Now that I *believe* I've cleaned up the malicious code and I'd
like to re-install and turn on postfix again. Before I do, is
there a way to either throttle the email output (our expected
output is a couple of emails a day from the contact form) OR fire
off an alarm if there are more than <arbitrary low number> emails
being sent in a single hour? Perhaps there is yet another
alternative that I've not thought of? (So far, I've thought of:
not re-installing Postfix, replacing the web site code, and moving
to Tibet.) I don't have authorization to replace this code yet
and my wife won't move to Tibet so that's out too... for now.

Eric
- --
# Eric Lucas
#
# "Oh, I have slipped the surly bond of earth
# And danced the skies on laughter-silvered wings...
# -- John Gillespie Magee Jr
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9GzaMACgkQ2sGpvXQrZ/4jfQCeM5AbcAGoRObvPD7skRdMMA1+
ABAAnRP+aYzGoHEzvlQRQgA0lxmtAhB0
=8Pcn
-----END PGP SIGNATURE-----
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] Hacked server - recovery
  - From: "Eric at Lucii.org" <eric@lucii.org>

References:
- [PLUG] Hacked server - recovery
  - From: Tom Haines <hainest@gmail.com>

Prev by Date: [PLUG] Hacked server - recovery
Next by Date: Re: [PLUG] Hacked server - recovery
Previous by thread: [PLUG] Hacked server - recovery
Next by thread: Re: [PLUG] Hacked server - recovery
Index(es):
- Date
- Thread