Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Server hacked, Desperate for help with FC6

Bill Horne wrote:
> David Kramer wrote:
>> Bill Horne wrote:
>>> Grant M. wrote:
>>>> [snip]
>>>> The Ubuntu Enterprise server we're using was compromised on a
>>>> non-priviledged account once, but there isn't anything installed that
>>>> the user could use, so no worries. 
>>> [snip]
>>> While we're on the subject, how did you find out?
>> The first symptom was I was having problems with MySQL, which
>> eventually led to my website not working.
>> In the end, the point of origin was almost definitely an exploit in
>> Zimbra, which is a web-based collaboration tool I installed to check
>> out, but never used.  I found all sorts of subtle hints, like a new
>> zimbra user, which ended up in the /etc/sudoers file, and it was in
>> the uucp group and the wheel group.
>> The attack appears to have happened about three days after I installed
>> Zimbra, too.
> Has anyone used a fingerprint verification scheme to check for hacks?
> Would it have caught this?

You mean like tripwire?  That wouldn't have necessarily detected anything,
unless a root-kit was installed in such a way as to replace system binaries.
But I doubt they'd bother with that unless the attacker was looking for
something very specific (ie they have a user targeted and want his password,
so they replace the 'login' program).  Typical script kiddies just want to
install an irc-bot or spam-server, and won't mess with the rest of the
system once they have root access.

Now something like 'chkrootkit' or rootkit hunter (
may have a better chance.

Of course, my musings may be complete take them for what
they're worth.


This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /