Security Basics mailing list archives
security advice
From: Edmund <edmund () belfordhk com>
Date: Tue, 24 Aug 2010 17:17:13 +0800
Hi, Just yesterday, I found out that my company's e-mail server had been compromised. This fact, for some reasons, didn't seem to be a 'big deal' to others. I'm still stunned; but, considering how lax I had become, it shouldn't be surprising. *sigh* [story mode] Basically, the incident started out with an innocuous "there is something wrong with sending e-mail" from a co-worker. I looked at the e-mail server and everything seemed to be ok, so I decided to check the firewall. That's when I noticed it was running very sluggish. "Uh oh." I couldn't figure out which program was making it go slow. I thought it was the proxy, but it wasn't. I rebooted the firewall. It was ok, up until a certain point and that's when it slowed down. I tcpdump'd one ethernet nic, and noticed a huge amount of packets being sent to a remote site from my e-mail server. (Capital UH OH) Checking out the |ps ax| I noticed a very suspicious file "./s <ip#>". Immediately I knew someone had accessed the system. I started to become a little panicky. I searched for the './s' file. Then looking up online, I found that I could go into the /proc filesystem and find the pid and then the exe will be shown. Found the full path. Looking at the files within the folder "/var/tmp/.b", it was confirmed. I shouldn't have done what I did next. I killed the running program and deleted the folder. :( In hindsight, I should have killed the program and zipped up the darn folder for analysis. I'm still regretting that move. *banging head on table* Cleaned up a few extra items and it seems normal. I ran 'rkhunter' and filled out the necessary warnings it found. [story mode off] I'm still very reprimanding myself for being so careless. This is one lesson that I gotta have imprinted in my thick skull. Anyway, given this lesson, can someone offer any methodologies/programs that I can use to protect the company system? I'm now going through the firewall rules to find out what holes the intruder might have entered through. Thanks. Ed ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- security advice Edmund (Aug 24)
- Re: security advice irado furioso com tudo (Aug 24)
- Re: security advice Todd Haverkos (Aug 24)
- RE: security advice Andrei Popescu (Aug 25)
- Re: security advice Erik (Aug 26)
- RE: security advice Andrei Popescu (Aug 25)
- RE: security advice Murda (Aug 25)
- Re: security advice Robert Larsen (Aug 25)
- Re: security advice debiantech (Aug 25)
- RE: security advice Grant, Richard (KYTC) (Aug 25)
- <Possible follow-ups>
- Re: security advice Mike Razzell (Aug 25)