[Techtalk] Server was hacked into; looking for tips on how to secure it

jennyw jennyw at dangerousideas.com
Sun Feb 23 22:07:58 EST 2003

My server was hacked into. For the curious, it's ... It is back
up now in its hacked state.  I have tethereal running on it hoping to catch
something that will give me more clues (if the person tries coming back) but
I'm not too hopeful about that (especially since they'll quickly discover
that all outgoing traffic is blocked by an external firewall).  The main
issue is that I can't figure out how they got in.  This same person has
gotten in twice (I assume it's the same, since they send spam for something
called websalesjet), so obviously there's some vulnerability on the machine.

The first time, I had ipchains on the machine. This time I had an external
firewall -- a Sonicwall. I had opened only DNS, http, https, imap, imaps,
and smtp.  I was running Postfix, Courier-IMAP, BIND9 (the first time I was
running BIND 8), Apache, MySQL, and PHP4.  The only dynamic site I had up
was PostNuke Phoenix, which is pretty recent. I took down all other dynamic
sites in case they were the way they got in (I was running an older
PostNuke, IMP, Gallery, and phpBB 1.2).

I did notice that when I did a ps before taking down the system (I had
blocked port 25 outgoing so that they couldn't spam anyone) that a lot of
weird processes came up that were from www-data, so I think the exploit came
through there.  I have no clues as to how that happened, and I'm reading up
on Apache, but if anyone has any ideas I'd love to know.  I'm attaching the
ps output in case that provides a clue to someone.

With the new system, I'm installing Postfix with SMTP-Auth. This will help
with spamming if they're not careful, but that's hardly much.  I'm also
installing Integrit, which will hopefully let me know what files get
modified. But that's only finding out that I've been attacked, not how it
was done.

Anyway, thanks in advance for any suggestions!


More information about the Techtalk mailing list