| View previous topic :: View next topic |
| Author |
Message |
kernelOfTruth
Watchman
Joined: 20 Dec 2005
Posts: 6111
Location: Vienna, Austria; Germany; hello world :)
|
|
| Back to top |
|
 |
defenderBG
l33t
Joined: 20 Jun 2006
Posts: 817
|
 Posted: Wed Dec 31, 2008 3:15 am Post subject: |
 |
|
| Hell-Razor wrote: | | How could they get a partial ls of my /home/ files without fully being into my machine? |
smb/ftp?
my security related knowledge is getting rusty... there were those programs, that would checksum every file and check every few hours if the checksum is still valid. pretty effective for /etc, /bin... etc what was their name? |
|
| Back to top |
|
|
merky1
n00b
Joined: 22 Apr 2003
Posts: 51
|
| Posted: Wed Dec 31, 2008 5:42 am Post subject: |
|
|
I was thinking more along the lines of a P2P application being intercepted by the ISP.
_________________
ooo000 WoooHooo 000ooo |
|
| Back to top |
|
|
defenderBG
l33t
Joined: 20 Jun 2006
Posts: 817
|
| Posted: Wed Dec 31, 2008 9:49 am Post subject: |
|
|
| most torrent clients nowodays have a cryptographic extension. you can force them to allow only encrypted transfer. for irc (xdcc is really good) I dont know if there is a way to encrypt the transfer. |
|
| Back to top |
|
|
cach0rr0
Bodhisattva
Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas
|
| Posted: Fri Jan 02, 2009 2:10 pm Post subject: |
|
|
If I might make another suggestion
AIDE is your friend
if you use SSH (which seems you dont, but), something like fail2ban or denyhosts is a must, as well disable keyboard-interactive auth
hardened install with very finely-tuned grsec policies is needed as well
I think everyone else has covered most of what I had.
hrmm...trying to think of what else, my box was marginally compromised a while back, and as I was admittedly lazy before - such an occurrence changed me from flippant to paranoid. Spent a good 3 weeks researching before bringing my box back online. |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54810
Location: 56N 3W
|
| Posted: Fri Jan 02, 2009 2:27 pm Post subject: |
|
|
cach0rr0,
Marginally compromised ?
Thats like being a little bit pregnant.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
cach0rr0
Bodhisattva
Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas
|
| Posted: Fri Jan 02, 2009 2:40 pm Post subject: |
|
|
| NeddySeagoon wrote: | cach0rr0,
Marginally compromised ?
Thats like being a little bit pregnant. |
ha...true enough
basically, someone had managed to upload a file (index.html) into DocumentRoot on one of my vhosts (I blame wordpress)
Which of course took precedence over index.php, so i couldnt figure out why on earth my site wouldn't show - then found that
In theory damage should have been mitigated to that one vhost
It wasn't entirely clearly to me when the upload occurred, so rather than trust I'd fixed the problem....I just backed up, blew everything away, and actually put in the effort to do things right the second time around.
I say "marginally" because to this day I'm still fairly confident the extent of damage was that one vhost - but as visits to that site were so infrquent, and i rotate logs daily, I didn't have heaps of data to use to confirm - and of course, no AIDE, so I couldn't see what else might have been tinkered with. I would say I overreacted were sec not something I take exceptionally seriously
EDIT: I'm also still fairly convinced, given that it's wordpress, it was classic SQL injection with dumpfile used to chunk the rogue index.html into DocumentRoot. Everything else being fairly sanely configured, I probably could have just scrapped that vhost and its DB, and its DB user, and been fairly safe - but I ain't trustin' it. Being hacked makes you feel far too violated - cue the innuendo |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54810
Location: 56N 3W
|
| Posted: Fri Jan 02, 2009 2:45 pm Post subject: |
|
|
cach0rr0,
You backed up after the compromise?
You could have saved and restored a rootkit.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
madumlao
n00b
Joined: 02 Jan 2009
Posts: 1
|
|
| Back to top |
|
|
cach0rr0
Bodhisattva
Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas
|
| Posted: Fri Jan 02, 2009 3:38 pm Post subject: |
|
|
| NeddySeagoon wrote: | cach0rr0,
You backed up after the compromise?
You could have saved and restored a rootkit. |
Selectively backed up.
Didn't back up the entire fs, just a few choice bits of media (/video and /music, specifically) and what have you - the backup was done booted into a LiveUSB env, as at that point I (understandably) no longer trusted my kernel.
Booted to LiveUSB, copied choice bits off to external drive, wiped the system, rebuilt system (this time hardened sources/profile/etc), mounted /external, copied a few pieces over. NB chkrootkit/rkhunter all came up clean running from liveusb env
Not too worried about that part....by that point I was actually paying attention - the compromise and resultant necessary "overreaction" was purely a result of my own lazy behaviour. Had I done things right the first time, I'd have been able to see just how far they'd gotten, and known whether or not a wipe was necessary.
It was really a "come to jesus" moment.
As well a number of friends pointing, laughing, and making me realize the error of my apathetic ways
| Quote: |
(14:52:03) strerror: check your aide logs, you do have aide installed and running RIGHT?
(14:52:12) meat: nope ;x
(14:52:15) strerror: muppet
|
|
|
| Back to top |
|
|
|
Networking & Security
