[Cialug] CentOS Security
Paul Gray
gray at cs.uni.edu
Wed Mar 2 10:33:15 CST 2011
On 03/02/2011 10:20 AM, L. V. Lammert wrote:
> We had a web server (the only services exposed are a few web server &
> php, .. not even any ssl or sensitive data) go bonkers a few days ago,
> .. it appeared to be running some sort of attack code generating a
> humongous amount of outbound traffic on port 80 to a server in Romania.
> After finally getting a login I could find nothing unusual, and, upon
> rebooting, I could find not locate any trace of a login on the box nor
> any unusual changed files.
>
> Two questions:
>
> * Is it possible that the vector was a php attack that was memory
> resident (and cleared on reboot)?
It's likely that the attack vector was planted in a writeable directory,
and that it's only a matter of time before an .ru IP address calls it up
again. Never trust a compromised system, reboots never fix the crux of
the issue: how did they root the box in the first place?
Take it offline and rebuild.
> * Does it make sense to block *outbound* port 80?
Allow only egress 80 for CentOS updates, otherwise when you rebuild the
box, yes...limit egress port 80.
--
Paul Gray -o)
314 East Gym /\\
University of Northern Iowa _\_V
Message void if penguin violated ... Don't mess with the penguin
No one ever says "Hey, I can't read that ASCII e-mail ya sent me."
More information about the Cialug
mailing list