Its dangerous out there!

JaredRitcheyJaredRitchey Moderator: Design TeamShared Hoster
in Webmaster Discussion & News
Just when you thought it was safe to go back into the water, a shark attack and this time its fatal. Well, almost, right?

Recently we discovered an unusual set of session events on one of our servers only to discover that some shark managed to exploit a hole in a PHP application (we now fixed) to setup a root access account with full powers and then install the SHV4 and SHV5 trojans.

Now for those webmasters that know, once you have a trojan on your server there is only one way to fix it and the method is always the same. Re-Format, Re-Partition, and Re-Image. Just to be sure.

So what can you do to minimize the attacks on your server. Well unfortunately its tuff in this business to ever call yourself an linux expert to give a hit and run answer for that. To do so comes with a bit of stigma of arrogance and presumption. So we move instead to some commonalities as not to portray ourselves as "EXPERTS" but rather "professionals".

The tools I tend to use are things like SNORT, RKHUNTER, IPTABLES, CHKROOTKIT and so on.

Lets be brief in a few tips I recenlty suggested to another guy after having to schedule the nightmare of a reimage after backing up dozens and dozens of hosting clients.

Install IPTABLES and close every non essential port making the only SSH access to the server from your IP only.

Install RKHUNTER and run it at least daily with the log file directive so you get a log file in your email.

Install SNORT or the equivelent packet sniffer to monitor your system. Granted packet sniffers do require you to be very attentive as they are not the kind of thing you just turn lose. Now I own all of my machines and I've commissioned a developer to build me an SSH client that will reduce itself to my system tray so I can at any moment look at my servers status and happenings and I'll likely make this available as a free product for download here at webmasterpost.com but it should not be taken for granted that if you are a server admin as well as a webmaster then you should really monitor your packets and events on your server at least every hour.

Until I come up with more items in my configuration, I'll leave this open for others to respond and drop in their ideas. Then later I'll revisit the thread and put some links to some good wisdom I've discovered.

~ Jared
signature? whats a signature?
Sign In or Register to comment.