[mdlug] Possible Vector of recent "haxored" Linux/Apache Servers?

Robert Adkins radkins at impelind.com
Fri Jan 25 18:31:46 EST 2008


> 
> > I just had a thought... This system they are using appears to be a 
> > common webhosting configuration tool. Is it possible that the 
> > compromised Linux servers ( <http://www.linux.com/feature/125548> ) 
> > could be running this same webhosting configuration package?
> >
> > The last I read, it seems that the most logical 
> explaination has been 
> > the cracking of root accounts.
> >
> 
> Off-Topic, but...
> There are claims that not only cPanel (the configuration 
> tool) has been hit, but other webhost interfaces as well. Of 
> course, there's not much in the way of details from anyone so 
> it's somewhat difficult to know anyone else's actual configuration.
> The word on the street is that most of the servers have 
> allowed root login over SSH. The attackers are doing a good 
> job of cleaning up after themselves, not leaving much in the 
> way of logs.
> We've (totalchoice) not had any compromised systems due to this.
> 
> end off-topicness.
> 
> ----
> Jesse J. Salens

	That's great to hear that TCH hasn't had any compromised servers.

	It will be nice to get to the bottom of all of this.

	Hopefully, one of those Honey Pot running groups will tweak up a
server to see about capturing the compromise vector and post some results,
damn soon. It would be really nice to blow this problem out of the water and
off the net as soon as possible.

	-Rob




More information about the mdlug mailing list