[BlueOnyx:01838] Re: Second Server Hacked

Stephanie Sullivan ses at aviaweb.com
Mon Jul 27 08:27:24 -05 2009 

> -----Original Message-----
> From: blueonyx-bounces at blueonyx.it [mailto:blueonyx-
> bounces at blueonyx.it] On Behalf Of Michael Stauber
> Sent: Sunday, July 26, 2009 11:51 PM
> To: BlueOnyx General Mailing List
> Subject: [BlueOnyx:01830] Re: Second Server Hacked
> 
> Hi Steve,
> 
> > > No idea on the exploit, or how the box has been compromised. This
> > > new box had no domains on it nor any web sites.
> >
> > So what makes you think it has been? What are the traits of the
> hack.
> > i.e. what is actually wrong..
> 
> Without proper forensics of the box we can only speculate, which
> doesn't help.
> 
> With no domains or user accounts on the box the only limited ways how
> it could
> have gotten hacked:
> 
> 1.) Someone got in with the default "blueonyx" password before the
> initial
> setup was completed and before a new admin/root password was
> assigned.
> 
> 2.) The initial setup was completed, but the new admin/root password
> was
> either guessed, brute forced or had been obtained through a network
> sniffer
> during a non-SSL login.
> 
> 3.) The box got compromised through a known (and already fixed)
> security hole
> *before* the first YUM update was finished and the hole was closed.
> Which is
> rather unlikely when I look at the recent patch history and think of
> what was
> fixed through upstream patches.
> 
> 4.) The box got compromised through an unknown security hole in one
> of the
> network enabled services.
> 
> Only #4 is something that has me worried and I while I never rule it
> out, I
> find it somewhat unlikely. Everything else can be avoided with good
> precedures
> during initial setup. Like making sure that the box is not exposed to
> the
> internet prematurely. And later on while transmitting the password
> when using
> admin or root privileges.
> 
> Now if there is an unpatched security hole in CentOS5 (or RHEL5)
> we'll hear
> about it soon enough, as it would spread like a wildfire and get
> proper
> attention somewhere upstream.
> 
> All in all this is of course quite unfortunate for you and I feel
> sorry that
> it happened to you. While it might be a good idea to keep an eye
> open, I don't
> really see anything that would warrant to be overly alarmed or
> concerned,
> though.
> 
> --
> With best regards
> 
> Michael Stauber

I'd like to add a #5 to Michael mighty four:
Yours or someone with login access's desktop/laptop system has been
hacked/botted and when you setup a server a key-logger is reporting login
information and destination domain to someone. This could also happen with a
lan sniffer on a system in your office, but I'd think that would be much
less likely.

	Thanks,
		-Stephanie

More information about the Blueonyx mailing list