[BlueOnyx:03718] Re: Possible breach of server - assistance appreciated

danny at missing.com danny at missing.com
Mon Mar 1 01:48:05 -05 2010 

I am interested in this one..  First question, where is the box located
(dorm room, data center, etc)  I am assuming it's a BQ installation, so a
look at your last log might be helpful

> last| more

that way you can see who as at least some in some sort of way..  Also
check out secure.

Next I would try to see if there are any rogue processes running

> pstree -G

tends to do a good job (and from what I have seen, even if someone hides
the process from top, they forget to remove it from the graphical tree.

I hope someone comes up with some good information for you on this.  I am
sure it will.

I can also offer a colo/bq box for you if you would like to try some
experimental editing, etc..

> Hi
>
> I hope someone can point me in the right direction because this is a
> little
> stressful (to say the least).
>
> We've been sent a message, via the abuse team in the data centre we use,
> that indicates port scans or something malicious is originating from our
> server.  It's actually the third time now.
>
> The message is below, but my problem is I don't have enough familarity
> with
> Linux security to dig in and know what I'm looking for.  Therefore any
> pointers in the right direction would be appreciated.
>
> Thanks, Richard
>
> The message received was as follows:
> --------------------------------------
>
> This is an automated message from Columbia University IT Security.  You
> are
> receiving it because you are listed as the abuse contact for the machine
> referred to below.  This machine attempted to gain unauthorized
> access to one or more machines at Columbia University.
>
> Details are provided below.  Please take all necessary
> steps to mitigate such attacks.
>
> If you have received this message in error, or if this incident
> reported is inappropriate, please contact security at columbia.edu
> so that we can update our procedures.  Please include the entire
> body of this message.
>
> Thank You.
>
> Columbia University IT Security
> security at columbia.edu
>
> Name:     s1.XXXXXX.net
> Address:  217.112.XX.XX
>
> Incident type: 6000/tcp
> First attempt: 27-feb-2010 05:50:00 GMT-0500
> Last attempt: 27-feb-2010 05:50:00 GMT-0500
> Total attempts: 131061
>
> 27-Feb-2010 05:51:46 GMT-0500 217.112.XX.XX:62518 -> 156.111.227.14:6000
> 6 48
> 27-Feb-2010 05:51:46 GMT-0500 217.112.XX.XX:62518 -> 156.111.227.40:6000
> 6 48
> 27-Feb-2010 05:51:46 GMT-0500 217.112.XX.XX:62518 -> 156.111.227.45:6000
> 6 48
> 27-Feb-2010 05:51:46 GMT-0500 217.112.XX.XX:62518 -> 156.111.227.46:6000
> 6 48
> 27-Feb-2010 05:51:46 GMT-0500 217.112.XX.XX:62518 -> 156.111.227.48:6000
> 6 48
> 27-Feb-2010 05:51:46 GMT-0500 217.112.XX.XX:62518 -> 156.111.227.81:6000
> 6 48
> 27-Feb-2010 05:51:46 GMT-0500 217.112.XX.XX:62518 -> 156.111.227.67:6000
> 6 48
>
> There was lots more, all of a simalar nature.
>
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at blueonyx.it
> http://www.blueonyx.it/mailman/listinfo/blueonyx
>

More information about the Blueonyx mailing list