Server Hacked

ADB firefox-gen at walala.org
Sat Aug 20 06:08:19 UTC 2005


Strong MD5 or blowfish crypted root password and IDS man. also chroot 
prisons and eliminating those services you don't really need running all 
the time. Denying root log-in is good too (have to log in as standard 
user than su to root. attackers need to know both passwords rather than 
just one).


Brian C wrote:

>ADB wrote:
>  
>
>>I doubt it. What services were/are you running? Did you use grsecurity
>>or SELinux?
>>    
>>
>
>I wasn't using either of those. I did run Bastille and snort. The server
>ran apache, postfix, bind, mysql, b2evolution, phpbb, tor, ssh, vsftp
>(for internal lan use only), and probably some other things.
>
>I stopped paying close attention to port scans after making it a tor
>server. http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#Portscans
>
>I don't see which files have been tampered with yet. (That's the scary
>part.) It seems like without tampering with the actual locations that
>apache points to on my drive the hacker redirects all my sites to the
>same defacement message.
>
>I believe I'm going to have to make copies of my various configuration
>files and do a fresh install of the entire OS.
>
>Brian
>
>  
>
>>Brian C wrote:
>>
>>    
>>
>>>My Debian server has been hacked. Every web page I hosted now reads:
>>>
>>>"XTech Inc Was Here :D"
>>>XTech Inc we are: Status-x & PABLIN77
>>>uid=0(XTech Inc) gid=0(XTech Inc) groups=0(XTech Inc)
>>>Pablin77: MARY TE AMO!!!!!!
>>>
>>>Powered by XTech Inc / PABLIN77
>>>Made in ARGENTINA - pablin_77 at argentina.com
>>>
>>>I run Debian-testing and generally stay on top of updates. I do run a
>>>few too many services on that server though. I wonder if my recent
>>>addition of making it a tor server is what brought my humble server to
>>>these jerks attention? I've little experience with recovering from this,
>>>so any advice on what steps to take from here, what log files are
>>>relevant, etc. would be greatly appreciated.
>>>
>>>Brian
>>>
>>>
>>>
>>> 
>>>
>>>      
>>>
>>    
>>
>
>
>
>  
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20050819/5f252de3/attachment.htm>


More information about the tor-talk mailing list