Re: newbie with www user security problem

From: Stijn Hoop (stijn_at_win.tue.nl)
Date: 08/11/05

Next message: jimmy_at_inet-solutions.be: "Re: newbie with www user security problem"

Previous message: Ken Hawkins: "newbie with www user security problem"
In reply to: Ken Hawkins: "newbie with www user security problem"
Next in thread: jimmy_at_inet-solutions.be: "Re: newbie with www user security problem"
Reply: jimmy_at_inet-solutions.be: "Re: newbie with www user security problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 11 Aug 2005 15:46:50 +0200
To: Ken Hawkins <ken@rosewoodblues.com>

On Thu, Aug 11, 2005 at 09:32:22AM -0400, Ken Hawkins wrote:
> we have been hacked by a spammer

[snip]

> X-AntiAbuse: Board servername - srforum.prosoundweb.com

Ouch. You appear to be running a phpBB installation from 2002 (version
2.0.6). That's asking for trouble. A lot of exploits have been found
in phpBB since that time, see

http://www.phpbb.com/support/documents.php?mode=changelog

and

http://www.vuxml.org/freebsd/pkg-phpbb.html

There are lots of automated scripts running on already compromised
machines that scan other machines for these vulnerabilities. Assuming
that is how the spammer got in, there is no telling what he has done
after that.

You must assume that your machine has been fully compromised. The
only way to know for sure that your machine is clean again is to build
a new machine from scratch and transfer all your _non-executable_ data
to it.

You _might_ be able to get away with identifying any and all
processes, removing suspicious data from /tmp, /var/tmp and any other
OS place, changing passwords on _all_ accounts (but especially
sensitive ones like root, your own and www). But you might not find
the one backdoor that the spammer left and then you're back to square
one again.

It's your choice.

To prevent this from happening, perform regular port updates and make
sure to subscribe to the announcement list of highprofile publicly
accessible software that you run.

Good luck.

--Stijn

-- 
A "No" uttered from deepest conviction is better and greater than a
"Yes" merely uttered to please, or what is worse, to avoid trouble.
		-- Mahatma Ghandi

application/pgp-signature attachment: stored

Next message: jimmy_at_inet-solutions.be: "Re: newbie with www user security problem"

Previous message: Ken Hawkins: "newbie with www user security problem"
In reply to: Ken Hawkins: "newbie with www user security problem"
Next in thread: jimmy_at_inet-solutions.be: "Re: newbie with www user security problem"
Reply: jimmy_at_inet-solutions.be: "Re: newbie with www user security problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]