[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Gnumed-devel] URGENT - hacked

From: Horst Herb
Subject: [Gnumed-devel] URGENT - hacked
Date: Sun, 21 Nov 2004 16:31:02 +1100
User-agent: KMail/1.7 has been hacked, a root kit installed.
This happened probably on 15th of November (at least some of the kitted files 
like rm, chmod, login, ifconfig etc. bear such time stamp and log entries 
before that date look unsuspicious)

The network interface was in promiscuous mode at least since 15.11 - so 
consider your paswords compromised. If you use them on any other system, 
change them IMMEDIATELY!

I am in the process of cleaning up, but it is not easy.
I rsynced the whole server onto a safe machine, but databases need to be 
backed up.

Everybody with access to please back up immediately all your own 
files, especially database dumps.

I will switch that server off on Tuesday, replacement will probably be 
seamless - I have already commissioned a much faster machine (with 1 GB RAM 
and 160 GB hdd on a 100MBit internet connection) - but for that one I will 
not allow others to get root-alike access anymore, after the current 

The new server will be firewalled *on top* of the firewall that was/is 
provided by the data centre.

I don't know yet how the root kit was installed. Since 15th, I have been 
syncing the logs onto a local machine and watched all activity - the intruder 
appears to "merely" have abused the machine for spamming, hasn't defaced 

The server didn't contain any confidential data, was purely used for open 
source projects, hence no data theft possible.

I could trace the intruder to a few other hacked sites, where he has deposited 
lists with hundreds of thousands of "valid" e-mail addresses, but I have not 
been able to identify the intruder yet nor to track him down to his original 
IP number


reply via email to

[Prev in Thread] Current Thread [Next in Thread]