[nycphp-talk] Issues with server getting hacked
Ajai Khattri
ajai at bitblit.net
Fri Sep 11 16:11:29 EDT 2009
On Fri, 11 Sep 2009, Randal Rust wrote:
> That's what I was thinking actually. There has to be something
> *somewhere* that would give me an indication of where the issue lies.
Finding the source of a break-in like this can be notoriously difficult.
Much better to wipe the drive and reinstall using the latest OS and
software that can run your app (because you have no idea if any system
binaries have been replaced with trojans).
If the breakin is through an OS vulnerability then keeping it up to date
will help. Obviously, if it happens again with a up-to-date OS, then its
possible its a vulnerability in PHP and/or your application code (in which
case looking at POST requests in logs might help).
I once had an old server that had an IRC process running disguised as a
regular Apache process. I only figured it out by observing open port
numbers using netstat and finding the process with lsof. In the end I
narrowed the problem down to an old component in a Joomla install that
had a known vulnerability - updating that component fixed the problem.
But servers are constantly fending off brute-force ssh attacks (denyhosts
is your friend for that kind of crap). These days I switch off all
unnecessary services and make sure needed services are not exposed to the
outside (MySQL listening on localhost, Postfix too is its just used for
sending out, etc). On many systems this might been running a firewall
with a very locked down configuration (protocol tracking is also my
friend).
--
Aj.
More information about the talk
mailing list