> One of my file-servers was destroyed by an in-house hacker,
> (consultant) rented by our alleged Chief Information Officer,
> to destroy Linux systems and thereby show that they can't
> be used in a "professional" environment.
Adminned by clueless luser? I have to agree.
> I have about 20 megabytes of logs showing the machine being
> attacked from inside our firewall. Each time an attack occurred,
> I would firewall-out its phony IP address (ipchains). A few hours
> later the cycle repeated with another phony IP address.
Instead of trying to see WTF was going on and fixing the problem instead
of symptoms? _Real_ smart... Or, at least, block everything except the boxen
that have any business accessing it? You know, with explicit "accept" rules
in the beginning of the chain with catch-all "reject" after them...
> The exploit used multiple calls to get the system time, followed
> by an attempt to mount a file-system. Apparently the exploit
> eventually works because the system went down and the result was
> that the root file-system device, /dev/sda, was completely written
> with:
>
> "S E C U R I T Y "
>
> 8 Gb written with this 16-bytes pattern.
Secure your box and stop whining. If attacker can gain root on a box
you admin - it's your bloody responsibility to fix the thing, firewalls
or not. Sheesh...
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/