Well Im back up and running. Now with dual processors :)

I had gotten my system all re-setup except for my mail and up2date. I ran out of time and had to go to work. I figured I would do the up2date when I got home. From work I set up the mail and then got locked out of my system.

In that 8 hours I was at work, someone used the apache exploit and took over my system. All I can find that they did was to change the root password, wipe out the system logs (hehe they didnt find the backup logs I generate) and possibly got the shadow password file. They also installed some programs to give them access to the system.

I came home, booted into linux single mode and started my investigation. Saved all the info I had on him and the programs they left for me.

I couldnt beleive that within 8 hour that someone could find my system and take it over. I knew the exploit existed (as I had posted here) but I didnt expect them to find my system that quick after I had just done a re-install.

I re-wiped my system (just in case they did something I didnt know about) and re-installed everything. This time I kept my httpd services down along with ssh and smtp. The first thing I did after I put up the firewall again was to do up2date.

WORD TO THE WISE:
If you dont have a good firewall, get one (gShield is simple to set up). If you havent done up2date, you should. If you dont and you run apache web server, take it down.

I'm not at all surprised that they found it in less than 8 hours. Script kiddies are running automated tools that scan the Net day in/day out for systems and automatically take them over. I seriously doubt the person who did it had any clue as to what they were really doing when it comes to cracking a box and removing the trace of what they had done.

Yea I thought it might be an automated script that took over the system. I really didnt see anything done other than the changing of the root password, deletion of the logs, and installation of the Vadm program (I think that is what it was, I have it backed up on tape).

I was thinking that the script may have gotten in, did all that, but my firewall prevented them from actually logging in (the quick glance I had at it last night, it appeared to be a program that allows a remote root X client).

Ok I have a quick question. Is something like the apache exploit possible if you run a linksys router or is that only something to worry about if you’re running your Linux system as the gateway? Still new to the network aspect of all of this but I was under the assumption that with the router in line that my systems were "undetectable" from the outside.


P.S. you guys do one hell of a job here. With absoluty no Linux exp or networking exp I was able (after a struggle) to get Linux installed, configured, and up running as my gateway. Seq enabled! hehe. Thank god for the faq's walkthroughs and more searches then I can count hehehe.

*tips hat*

even if hidden behind a router, it is always a good idea to make sure you are secure. even if someone doesn't own THAT box, if something were to happen to another box... that vulnerable box would still be an easy target.

the only way a web server behind a firewall would be vulnerable would be if you were forwarding web traffic to it. so, if it is silently behind the firewall, with NO traffic directed at it... it is more safe than if you are forwarding web/ftp traffic to it.

The reason I was asking isn’t because im running a web server but because I haven’t taken it back out yet. hehehe afraid of removing the wrong packages and screwing everything up.

The only thing im using Linux for atm is seq, web browsing, checking mail, and CD player / solitaire during those long camps =p