[BlueOnyx:01830] Re: Second Server Hacked

[Michael Stauber]

Hi Steve,

> > No idea on the exploit, or how the box has been compromised. This  
> > new box had no domains on it nor any web sites.
>
> So what makes you think it has been? What are the traits of the hack.  
> i.e. what is actually wrong..

Without proper forensics of the box we can only speculate, which doesn't help.

With no domains or user accounts on the box the only limited ways how it could 
have gotten hacked:

1.) Someone got in with the default "blueonyx" password before the initial 
setup was completed and before a new admin/root password was assigned.

2.) The initial setup was completed, but the new admin/root password was 
either guessed, brute forced or had been obtained through a network sniffer 
during a non-SSL login.

3.) The box got compromised through a known (and already fixed) security hole 
*before* the first YUM update was finished and the hole was closed. Which is 
rather unlikely when I look at the recent patch history and think of what was 
fixed through upstream patches.

4.) The box got compromised through an unknown security hole in one of the 
network enabled services.

Only #4 is something that has me worried and I while I never rule it out, I 
find it somewhat unlikely. Everything else can be avoided with good precedures 
during initial setup. Like making sure that the box is not exposed to the 
internet prematurely. And later on while transmitting the password when using 
admin or root privileges.

Now if there is an unpatched security hole in CentOS5 (or RHEL5) we'll hear 
about it soon enough, as it would spread like a wildfire and get proper 
attention somewhere upstream.

All in all this is of course quite unfortunate for you and I feel sorry that 
it happened to you. While it might be a good idea to keep an eye open, I don't 
really see anything that would warrant to be overly alarmed or concerned, 
though.

-- 
With best regards

Michael Stauber