Linux (Ubuntu) Security Consultant
November 3, 2013 11:13 AM
Hey guys
I’ve got a VPS running Ubuntu 10.04.4 LTS, and this AM become aware of untoward activity on my box. Specifically, I’ve got the system setup to email if CPU activity exceeds a specific percentage, which it did around 2PM GMT today.
By looking at top, netstat and ps I saw strange programs running (bash, wget and ircd) under a user id that I’ve never used to login with (the box hosts about a dozen web sites but only myself and my wife ssh into it), via IPs that I did not recognise. Upon further investigation I found someone had installed a PHP program (bot.php) on my box and was running wget and a few other commands via this script. They had placed this program, other scripts and a bash shell in /tmp .
I removed the software (saved in a secure location for later evaluation), identified/terminated the processes and banned the IPs via iptables. Although the machine has been quiet in the five hours since I have no idea how they gained access and fear it will happen again. I know there are several misconfigurations (apache list directory gives access to pretty much the entire box) but I’ve been unable to fix. Also I suspect there are PHP vulnerabilities, but identifying and reciting both is out of scope for myself.
While I do believe this was casual cracking (otherwise they would have tried from another IP perhaps) I’d like to retain someone on a one off basis to review the existing setup, recommend remedial action and then undertake fixes as necessary. As part of the process I’d like all the vulnerabilities explained (briefly) as well as explaining the actions that will be taken to fix. This could take place via Skype or email. Ideally we’d carry out the initial evaluation as a fully billable exercise, with the remedial actions billable as well. Rates to be discussed and agreed step by step, clear deadlines established and payment 50% in advance and 50% upon completion.
I’d like this done quickly since the box has very fat upstream pipes to several ISPs (which is probably why its targeted) and I’m trying to be a good netizen. And I have no idea what they were doing on my box overall, seems like wget today when I discovered, but who knows what else and how long its been going on for.
payscale: TBD/TBA
job type: contract
I’ve got a VPS running Ubuntu 10.04.4 LTS, and this AM become aware of untoward activity on my box. Specifically, I’ve got the system setup to email if CPU activity exceeds a specific percentage, which it did around 2PM GMT today.
By looking at top, netstat and ps I saw strange programs running (bash, wget and ircd) under a user id that I’ve never used to login with (the box hosts about a dozen web sites but only myself and my wife ssh into it), via IPs that I did not recognise. Upon further investigation I found someone had installed a PHP program (bot.php) on my box and was running wget and a few other commands via this script. They had placed this program, other scripts and a bash shell in /tmp .
I removed the software (saved in a secure location for later evaluation), identified/terminated the processes and banned the IPs via iptables. Although the machine has been quiet in the five hours since I have no idea how they gained access and fear it will happen again. I know there are several misconfigurations (apache list directory gives access to pretty much the entire box) but I’ve been unable to fix. Also I suspect there are PHP vulnerabilities, but identifying and reciting both is out of scope for myself.
While I do believe this was casual cracking (otherwise they would have tried from another IP perhaps) I’d like to retain someone on a one off basis to review the existing setup, recommend remedial action and then undertake fixes as necessary. As part of the process I’d like all the vulnerabilities explained (briefly) as well as explaining the actions that will be taken to fix. This could take place via Skype or email. Ideally we’d carry out the initial evaluation as a fully billable exercise, with the remedial actions billable as well. Rates to be discussed and agreed step by step, clear deadlines established and payment 50% in advance and 50% upon completion.
I’d like this done quickly since the box has very fat upstream pipes to several ISPs (which is probably why its targeted) and I’m trying to be a good netizen. And I have no idea what they were doing on my box overall, seems like wget today when I discovered, but who knows what else and how long its been going on for.
payscale: TBD/TBA
job type: contract
This job has been filled.