similar to: an actual hacked machine, in a preserved state

Suppose I have a CentOS 5.7 machine running the default Apache with no extra modules enabled, and with the "yum-updatesd" service running to pull down and install updates as soon as they become available from the repository. (Assume further the password is strong, etc.) On the other hand, suppose that as the admin, I'm not subscribed to any security alert mailing lists which send

If an attacker finds an exploit to take control of httpd, they're still blocked in part by the fact that httpd runs as the unprivileged apache user and hence can't write any root-owned files on the system, unless the attacker also knows of a second attack that lets apache escalate its privilege. Basically correct? What about sshd -- assuming that the attacker can connect to sshd at

(Tried sending this before but it doesn't look like it went through; apologies if you're seeing it twice.) OK, a second machine hosted at the same hosting company has also apparently been hacked. Since 2 of out of 3 machines hosted at that company have now been hacked, but this hasn't happened to any of the other 37 dedicated servers that I've got hosted at other hosting

Ever since someone told me that one of my servers might have been hacked (not the most recent instance) because I wasn't applying updates as soon as they became available, I've been logging in and running "yum update" religiously once a week until I found out how to set the yum-updatesd service to do the equivalent automatically (once per hour, I think). Since then, I've

With companies like Facebook and Google offering cash prizes for people who can find security holes in their products, has there ever been any consideration given to offering cash rewards to people finding security exploits in CentOS or in commonly bundled services like Apache? (Provided of course they follow "responsible disclosure" and report the exploit to the software authors

http://wiki.centos.org/HowTos/SELinux says: "Access is only allowed between similar types, so Apache running as httpd_t can read /var/www/html/index.html of type httpd_sys_content_t." however the doc doesn't define what "similar types" means. I assumed it just meant "beginning with the same prefix". However that can't be right because on my system with

There's an article on slashdot about the Duqu team wiping all their intermediary c&c servers on 20 Oct. Interestingly, the report says that they were all (?) not only linux, but CentOS. There's a suggestion of a zero-day exploit in openssh-4.3, but both the original article, and Kaspersky labs (who have a *very* interesting post of the story) consider that highly unlikely, and the

Hello everyone, As I am new to the asterisk community (although have been on the list reading for about 6 months) I wanted to see what users would recommend for security to protect several asterisk/ vicidial servers over a fiber connection. Currently I have a managed switch (Tellabs 8813-310) from time warner but I am having intrusion issues on my linux server which I think are contributing

My home machine has IP 50.54.225.130. I have (for the purposes of this experiment) one remote machine at www.peacefire.org (69.72.177.140) and another at www.junkwhale.com. When I'm logged in to peacefire, I run this perl script to open an ssh connection to junkwhale and run a command: my $hostname="www.junkwhale.com"; my $server_password = "[redacted!]"; use Net::SFTP;

Good Day! I think we have a serious problem. One of our old server running FreeBSD 4.9 have been compromised and is now connected to an ircd server.. 195.204.1.132.6667 ESTABLISHED However, we still haven't brought the server down in an attempt to track the intruder down. Right now we are clueless as to what we need to do.. Most of our servers are running legacy operating systems(old

Hi, My boss asked me to harden a CentOS box by removing "hacker" tools, such as nmap, tcpdump, nc (netcat), telnet, etc. I would like to know which list of packages would you remove from a base install. I would appreciate if someone could point me to a "standard" way of doing this. I know there are procedures for hardening a machine (I remember reading about Bastille Linux)

Hi, We have clients with various security & compliance requirements. Although not required, it would be ideal to have messages encrypted at rest. We already use SSL/TLS to secure the transmission of most email. However, it would be nice to have them encrypted sitting on our server. Is anyone doing this? I think that ideally, rather than full-disk encryption, we should use an encryption that

On 02/04/2015 04:55 PM, Warren Young wrote: > Unless you have misconfigured your system, anyone who can copy > /etc/shadow already has root privileges. They don?t need to crack your > passwords now. You?re already boned. Not exactly. There have been remotely exploitable vulnerabilities where an arbitrary file could be read (not written), but otherwise root access wasn't given

Some time ago one of my customer's computers was compromised by outside attackers, and though we were able to clean it up I never learned how. A few weeks back, my own office machine was hacked and the signs were similar; but this time I found an exploit program named "kulak" in my /tmp directory. Evidently (according to the source, which the attacker left behind also) kulak

Hi, I''ve had several people ask me about a comment I made in a previous post; <quote> Dan, firstly, if you haven''t touched the compromised system much, do a "dd" across the raw disk and grep it for log fragments. I have seen vital erased logs recovered this way before! </quote> I shall try and explain a bit more! If an attacker erases, or truncates a

On Wed, Feb 4, 2015 at 4:55 PM, Warren Young <wyml at etr-usa.com> wrote: >>> >> There have been remotely exploitable vulnerabilities where an arbitrary file could be read > > CVEs, please? > > I?m aware of vulnerabilities that allow a remote read of arbitrary files that are readable by the exploited process?s user, but for such an exploit to work on /etc/shadow,

Hi, I am sad to say that there was a compromise of the WineHQ database system. What we know at this point that someone was able to obtain unauthorized access to the phpmyadmin utility. We do not exactly how they obtained access; it was either by compromising an admins credentials, or by exploiting an unpatched vulnerability in phpmyadmin. We had reluctantly provided access to phpmyadmin to the

Hello, yesterday one of the extensions on my asterisk server got compromised by brute-force attack. The attacker used it to try pull an identity theft scam playing a recording from a bank "your account has been blocked due to unusual activity, please call this number..." Attacker managed to make lots of calls for around 8 hours before I detected it and changed the password for that

I have a server that has been compromised. I'm running version 4.6.2 when I do >last this line comes up in the list. shutdown ~ Thu Aug 28 05:22 That was the time the server went down. There seemed to be some configuration changes. Some of the files seemed to revert back to default versions (httpd.conf, resolv.conf) Does anyone have a clue what type of

Hello. At work we collect logs (via ssh) from all kinds of hosts on one central node which has no connection to the internet and is tried to kept secure. The idea is, as you can imagine, that in case of a compromise we'd have at least all the logs up to the break without any forgeries. The logging is done continuously and compression is used. Now the following is not really that much