[BlueOnyx:06091] Re: cant run any commands on one of our BlueOnyxboxes

Peter Robbins pete at bridgewater.it
Sun Dec 12 14:44:03 -05 2010 

Yes you are both right.

I have just finished the imports To the new vm machine

One should never under estimate the ingenuity of hackers and script kiddies

I speak from experience.  

We couldn't leave the machine as it was, in a perceived compromised position.  So in has been cmuExport'ed

I will look through the logs see If I can see a problem and then delete the original vm machine.

Thanks to all for your help!

Sent from my iPhone

On 12 Dec 2010, at 19:03, "Chuck Tetlow" <chuck at tetlow.net> wrote:

> I completely agree with Chris - the backdoor that was used to gain access in the first place may still be there.  Plus, any rootkits installed are still there.  THAT is a dangerous situation. 
> 
> I'd recommend keeping that box off-line while you do cmuExports of all sites.  Build a new box and cumImport them all into that new box.  Before you import - make sure that the new box is fully up-to-date to minimize vulnerabilities.  
> 
> And after importing everything/getting it working - make a complete box backup before putting it back on line.  That way, you've got a emergency restore in case it happens again.  After all - the vulnerability/exploit may have been in something in one of those sites.  And as soon as you put it back on line - this could happen again. 
> 
> I'd wait till after I got the box and sites back up - but you need to carefully check the logs to see if you can spot how this happened.  If not - you're just putting that rebuilt box out there and crossing your fingers that it doesn't happen again. 
> 
> 
> 
> Chuck 
> 
> 
> ---------- Original Message ----------- 
> From: Chris Gebhardt - VIRTBIZ Internet <cobaltfacts at virtbiz.com> 
> To: BlueOnyx General Mailing List <blueonyx at blueonyx.it> 
> Sent: Sun, 12 Dec 2010 12:48:10 -0600 
> Subject: [BlueOnyx:06089] Re: cant run any commands on one of      our     BlueOnyxboxes 
> 
> > Peter Robbins - Bridgewater Software Group wrote: 
> > > Not bad for 16 hours continuous work all through the night and next 
> > > day.  Iam off to bed now. 
> > 
> > So if I understand correctly, you loaded in a new /lib and /usr/lib onto 
> > the broken box (or virtual, as the case may be), then put it right back 
> > to work? 
> > 
> > If I haven't missed something that sounds fairly dangerous, especially 
> > if you've not located what caused the issue in the first place.  I hope 
> > you're not in for another round of this. 
> > 
> > -- 
> > Chris Gebhardt 
> > VIRTBIZ Internet Services 
> > Access, Web Hosting, Colocation, Dedicated 
> > www.virtbiz.com | toll-free (866) 4 VIRTBIZ 
> > _______________________________________________ 
> > Blueonyx mailing list 
> > Blueonyx at blueonyx.it 
> > http://www.blueonyx.it/mailman/listinfo/blueonyx 
> ------- End of Original Message ------- 
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at blueonyx.it
> http://www.blueonyx.it/mailman/listinfo/blueonyx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20101212/51e44129/attachment.html>

More information about the Blueonyx mailing list