On Fri, 25 Jun 2010 11:47:22 -0700 (PDT), Marc Shapiro > For now, the system is powered down and the FIOS router is disconnected.
> Whoever got to my box had to get past the router's firewall, so I am hoping > that it gets a new IP address when I do plug it back in. I'm trying to > figure how a cracker got past the firewall. I know that firewalls are not > perfect, but it keeps most ports closed, by default, and I do not think > that I opened any up. Considering he gamed postgre it's very unlikely that this was a network based attack, thus your f/w is likely irrelevant. The most likely scenario is that he cracked your web server, exploiting some weakness in php-cgi or similar to get to postgre, which apparently had sufficient privileges to accomplish what he wanted. If you were unable to find any inbound connections whilst these ~300 outbound connections were present, and given that restarting the box caused the ~300 ssh processes to instantly start up again and connect to Taiwan and God knows where else, it's pretty clear that code of one kind or another, either a script or a binary, has been uploaded to your system by the cracker. Thus: Removing the postgre package and removing the user and its password may not totally solve the problem. Neither you nor I nor apparently anyone else on this list is a post break in forensics expert. In the absence of one, this is why the security community recommends as a best practice to copy necessary data files off the machine, wipe it clean, and reinstall from scratch. This is the _only_ way for non-experts (and even experts often times) to be _sure_ the compromise situation no longer exists. Are you absolutely sure that doing what you state above will totally cleanse the machine? You also need to find the root cause that allowed for the point of entry. Without identifying the hole and closing it with either a software update or a configuration change, the attacker will be in your system again in no time flat. He's already done it one. If you don't change anything, what stops him from hopping right back in? So you changed the postgresql user password. So what? He cracked it once didn't he? You really need to consider these things before making a decision on how to best proceed. Whatever you do need to prevent this guy from getting back in. That likely means getting your web to database stack in proper order most of all. -- Stan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/8a721a9c1ddace5e079c7a91df30e...@localhost
