Server hacked, Desperate for help with FC6
Bill Horne
bill at horne.net
Sat Nov 25 10:38:56 EST 2006
David Kramer wrote:
> Bill Horne wrote:
>> Grant M. wrote:
>>> [snip]
>>> The Ubuntu Enterprise server we're using was compromised on a
>>> non-priviledged account once, but there isn't anything installed that
>>> the user could use, so no worries.
>> [snip]
>>
>> While we're on the subject, how did you find out?
>
> The first symptom was I was having problems with MySQL, which
> eventually led to my website not working.
>
> In the end, the point of origin was almost definitely an exploit in
> Zimbra, which is a web-based collaboration tool I installed to check
> out, but never used. I found all sorts of subtle hints, like a new
> zimbra user, which ended up in the /etc/sudoers file, and it was in
> the uucp group and the wheel group.
>
> The attack appears to have happened about three days after I installed
> Zimbra, too.
Has anyone used a fingerprint verification scheme to check for hacks?
Would it have caught this?
TIA.
Bill
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the Discuss
mailing list