[Cialug] CentOS Security

Wed Mar 2 12:31:07 CST 2011

I'm a big fan of blocking ALL outbound traffic and requiring egress to go through a proxy server.

-Tom

On Mar 2, 2011, at 10:33 AM, Paul Gray wrote:

> On 03/02/2011 10:20 AM, L. V. Lammert wrote:
>> We had a web server (the only services exposed are a few web server &
>> php, .. not even any ssl or sensitive data) go bonkers a few days ago,
>> .. it appeared to be running some sort of attack code generating a
>> humongous amount of outbound traffic on port 80 to a server in Romania.
>> After finally getting a login I could find nothing unusual, and, upon
>> rebooting, I could find not locate any trace of a login on the box nor
>> any unusual changed files.
>> 
>> Two questions:
>> 
>> * Is it possible that the vector was a php attack that was memory
>> resident (and cleared on reboot)?
> 
> It's likely that the attack vector was planted in a writeable directory, and that it's only a matter of time before an .ru IP address calls it up again.  Never trust a compromised system, reboots never fix the crux of the issue: how did they root the box in the first place?
> 
> Take it offline and rebuild.
> 
>> * Does it make sense to block *outbound* port 80?
> 
> Allow only egress 80 for CentOS updates, otherwise when you rebuild the box, yes...limit egress port 80.
> 
> -- 
> Paul Gray                                         -o)
> 314 East Gym                                      /\\
> University of Northern Iowa                      _\_V
>  Message void if penguin violated ...  Don't mess with the penguin
>  No one ever says "Hey, I can't read that ASCII e-mail ya sent me."
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug