* * * * *

                       Not that bad, as these things go

Well, the server was hacked [1], but it looks to be a customer account was
compromised, since the executables where owned by a customer account, the
processes were running on unpriviledged ports, and the server was being used
as part of denial of service attacks, with executables hidden under a hidden
directory in /var/tmp.

Fortunately, the system hacked is running Linux without module support, so
patching system calls [2] to hide activity is impossible without a reboot
(which would be noticed).

And as always, it could have been worse [3].

[1] gopher://gopher.conman.org/0Phlog:2006/01/16.3
[2] http://lib.ru/SECURITY/linux_module_heroin.txt
[3] gopher://gopher.conman.org/0Phlog:2004/09/19.1

Email author at [email protected]

You are viewing proxied material from gopher.conman.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.