[BlueOnyx:06094] Re: cant run any commands on one of our BlueOnyxboxes

Steffan general at ziggo.nl
Mon Dec 13 03:40:16 -05 2010 

Dont want to scare you but keep in mind that you now exported sites from a hacked machine

It is possible that the backdoorscript was installed on a site so them the script is now installed on the new machine

(it happend to me once)

 

So have a very close look at all your sites on this server

Sort on install dates etc to see if something strange  is there

 

If you can access the logs of the old machine then thats the best place to start

Look at the apache and ftp logs to begin

 

Good luck


Steffan

 

Van: blueonyx-bounces at blueonyx.it [mailto:blueonyx-bounces at blueonyx.it] Namens Peter Robbins
Verzonden: zondag 12 december 2010 20:44
Aan: BlueOnyx General Mailing List
Onderwerp: [BlueOnyx:06091] Re: cant run any commands on one of our BlueOnyxboxes

 

Yes you are both right.

 

I have just finished the imports To the new vm machine

 

One should never under estimate the ingenuity of hackers and script kiddies

 

I speak from experience.  

 

We couldn't leave the machine as it was, in a perceived compromised position.  So in has been cmuExport'ed

I will look through the logs see If I can see a problem and then delete the original vm machine.

 

Thanks to all for your help!


Sent from my iPhone


On 12 Dec 2010, at 19:03, "Chuck Tetlow" <chuck at tetlow.net> wrote:

I completely agree with Chris - the backdoor that was used to gain access in the first place may still be there.  Plus, any rootkits installed are still there.  THAT is a dangerous situation. 

I'd recommend keeping that box off-line while you do cmuExports of all sites.  Build a new box and cumImport them all into that new box.  Before you import - make sure that the new box is fully up-to-date to minimize vulnerabilities.  

And after importing everything/getting it working - make a complete box backup before putting it back on line.  That way, you've got a emergency restore in case it happens again.  After all - the vulnerability/exploit may have been in something in one of those sites.  And as soon as you put it back on line - this could happen again. 

I'd wait till after I got the box and sites back up - but you need to carefully check the logs to see if you can spot how this happened.  If not - you're just putting that rebuilt box out there and crossing your fingers that it doesn't happen again. 



Chuck 


---------- Original Message ----------- 
From: Chris Gebhardt - VIRTBIZ Internet <cobaltfacts at virtbiz.com> 
To: BlueOnyx General Mailing List <blueonyx at blueonyx.it> 
Sent: Sun, 12 Dec 2010 12:48:10 -0600 
Subject: [BlueOnyx:06089] Re: cant run any commands on one of      our     BlueOnyxboxes 

> Peter Robbins - Bridgewater Software Group wrote: 
> > Not bad for 16 hours continuous work all through the night and next 
> > day.  Iam off to bed now. 
> 
> So if I understand correctly, you loaded in a new /lib and /usr/lib onto 
> the broken box (or virtual, as the case may be), then put it right back 
> to work? 
> 
> If I haven't missed something that sounds fairly dangerous, especially 
> if you've not located what caused the issue in the first place.  I hope 
> you're not in for another round of this. 
> 
> -- 
> Chris Gebhardt 
> VIRTBIZ Internet Services 
> Access, Web Hosting, Colocation, Dedicated 
> www.virtbiz.com | toll-free (866) 4 VIRTBIZ 
> _______________________________________________ 
> Blueonyx mailing list 
> Blueonyx at blueonyx.it 
> http://www.blueonyx.it/mailman/listinfo/blueonyx 
------- End of Original Message ------- 

_______________________________________________
Blueonyx mailing list
Blueonyx at blueonyx.it
http://www.blueonyx.it/mailman/listinfo/blueonyx

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20101213/e8b62646/attachment.html>

More information about the Blueonyx mailing list