NYCPHP Meetup

NYPHP.org

[nycphp-talk] Issues with server getting hacked

CED consult at covenantedesign.com
Sat Sep 12 22:50:26 EDT 2009


Ajai Khattri wrote:
> On Fri, 11 Sep 2009, Daniel Convissor wrote:
>
>   
>> They must have some evidence indicating a problem exists.  They need to 
>> tell you what that evidence is.  Then you'll have a direction to go in.  
>>     
>
> That's not always the case: they could have seen something as simple as a 
> sudden increase in load or number of connections coming in/out of the 
> machine, or just a boatload of port 25 traffic.
>
>
>
>   
If that was the case, they wouldn't have known which files to "tar up". 
Depending on how they were tar'd you should be able to see the path by 
querying the index of the tar file.

Not to re-iterate what Chris was saying, but, you need information in 
order to take appropriate action.
All things considered there are at least several thousand potential root 
causes to your issue, unless you have some direction and cooperation 
from the hosting provider.

Attached is a basic template/list I rundown with clients (I do a lot of 
security on the side, and at work too. :P ) who experience similar 
issues, I have had these be well over 30 pages, as some clients really 
have no idea how many entities are touching their systems. I don't want 
it to appear overwhelming or impossible to successfully discover the 
root-cause of your particular incident; but unless you can get 
root-level log/AAA access, or some serious cooperation from the hosting 
company, you're likely not going to be able to cover all the bases.

P.S. Don't pay for ASL, you can build it yourself, just do a little 
googlin' :o)

-Ed "paranoid" Prevost

-- 
<img src="http://covenantedesign.com/logo.jpg" border ="0">
995 Maple Hill Road
Castleton, New York 12033
518-331-5061
Consult at CovenanteDesign.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20090912/5fc8ea9c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: IR-WebApplication.xps
Type: application/vnd.ms-xpsdocument
Size: 611990 bytes
Desc: not available
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20090912/5fc8ea9c/attachment.xps>


More information about the talk mailing list