Quote:
Originally Posted by gianh
what should i look for?
|
Something piggybacking onto a vulnerable setup or a good breach of security. I don't know. No info. I'd say log the full process, open files, user logins and network connection data (off site), then raise the firewall to only allow traffic from and to your management IP (range), then kill all 'net-facing services except SSH, then look around for stray processes. Then post info here to help us help you. For checks after that read the Intruder Detection Checklist (CERT):
http://www.cert.org/tech_tips/intrud...checklist.html.
Quote:
Originally Posted by Savet
In general, once a box is tainted, a clean OS install is the only 100% sure way to make sure it's clean.
|
...but before you do, you should put some effort into investigating the matter. With breaches of security there's no room for gut feelings, "thinking" or assumptions. If you don't then sure you can harden a box the next time around but you won't know what caused it.
Quote:
Originally Posted by Savet
as they likely exploited a weak ssh password initially to gain control of the box.
|
What clues did I miss it's that specific vector?