Quote:
Originally Posted by
seanhogge
(..) my outward-facing web & ftp (no mail) server was sending them unfriendly traffic. A quick htop showed that root had executed "pnscan" but I never recalled installing it. I sent it a kill -9, and sure enough, dpkg -s pnscan tells me it's never been installed.
While it seems to be a reflex both new and seasoned Linux admins fall for and while information can be gleaned from existing files, killing processes without recording details first does not help or help speed up the fact-finding process as clues like deleted files on open file descriptors and environment information like user details, working directory and connection data is lost.
Quote:
Originally Posted by
seanhogge
The problem is, I don't know where to begin looking. I've scoured logs - I don't see anything obviously fishy there. I've checked bash history - nothing there (..) Where else should I be looking,
A second thing, and that may be just me favoring cold, hard data over an account of things any day, is that it is more efficient to tell us
what terms exactly you have looked for and in which log files as "anything obviously fishy" doesn't convey much. More importantly, if you never have experienced a breach of security then
the best thing to do is do nothing. Take a step back, ask for advice and read. While old and decommissioned the
CERT Intruder Detection Checklist still can provide you with aspects of your system to check. Finally I would not install software but assess the system and perform log analysis first. List which 'net-facing software and which versions are installed including applications you run on top of the web server and including any plugins those applications use. Wrt logs: if you have a separate known safe workstation (hell, it could even be a virtualized guest on a home machine) then I suggest you pull in utmp, wtmp, btmp, lastlog, the system and daemon logs and run Logwatch on it. Easiest, quickest way IMO to generate leads.
Quote:
Originally Posted by
seanhogge
Is this definitely someone who's rooted my server?
A rogue process running as root being as good as any other clue I'm more interested in how this happened.
Quote:
Originally Posted by
seanhogge
In any case, all I've done is a password change. I'm worried I'm leaving other avenues unexplored, though.
Apart from changing
all passwords do consider the system compromised until a conclusion tells you otherwise. Best stop or restrict access to any 'net-facing service that are not vital in the fact-finding phase (meaning that if the machine is not local you'll only want SSH access).
HTH