LinkBack URL
About LinkBacksOriginally Posted by Spiral
this was basically what i did http://forums.cpanel.net/f7/beginner...ver-30159.html
this was basically what i did http://forums.cpanel.net/f7/beginner...ver-30159.html
Maybe they did not found your root password, but another user pass and exploited some local vulnerability to get root?
Did you check your logs to see if they brute forced it? As far as monitoring, this is what I just posted on another thread:
I had a similar problem a while ago and used the ossec tool (open source) to find all offending packages. It has a nice rootkit/worm/exploits detection tool in there....
After that, I kept that running with Snort and modsecurity (all open source) to monitor my systems. I lately also found sucuri to remotely check if my sites have been defaced, blacklisted, etc.
links:
Welcome to the Home of OSSEC
ModSecurity: Open Source Web Application Firewall
Snort :: Home Page
Sucuri information security (BETA)
Sphost was (and still - unfortunately) using an obsolete almost EOL version
of Fedora and the BIND server had originally not been patched or secured
in the original server configuration and the hackers had used an old exploit
to gain a root shell via a DNS attack. It would not have worked on most
servers today so they were actually lucky finding his server.
His server has now been fully secured and the vulnerable areas have
been manually patched and reconfigured so the previous vulnerabilities
no longer exist, the server fully hardened, and an extensive list of
defensive technologies have been put in place to help protect him
from future exploit and hacking attempts.
He's in a lot better shape now and has also been upgraded in the process
to Apache 2.2.11 along with SuHosin hardened SuPHP and other goodies
including well configured firewall and port scan monitors, root kit detectors,
intelligent traffic monitoring, self updating protection, and other fun stuff.
Reply With Quote