gpg: failed to create temporary file '/var/lib/lurker/.#lk0x5754a100.hantslug.org.uk.15941': Permission denied
gpg: keyblock resource '/var/lib/lurker/pubring.gpg': Permission denied
gpg: Signature made Wed Jan 26 09:34:36 2011 GMT
gpg: using DSA key 20ACB3BE515C238D
gpg: Can't check signature: No public key
On Tue, Jan 25, 2011 at 07:44:31PM -0500, Andy Random wrote:
> It does indeed look like the server has be compromised :(
>
> I agree with Adam that it seems pretty odd that they would mess with
> the permissions on ssh so only root can use it, without that it
> would have taken me longer to notice the problem...
You're assuming that the crackers are competent, or indeed know any
more than how to run a prepackaged script. This could be a script
kiddie with a badly-written rootkit.
[snip]
> There are no further logins by "sysconf" reported, but obviously
> once they were in all bets are off.
>
> So what now, last I heard there really wasn't a good way to "fix" a
> system once it was compromised.
>
> I can re-install and re-configure the server, but I'd really like to
> know what was exploited to get in originally so I can make sure it
> doesn't happen again.
>
> Any suggestions on where to look for that?
Logs of services -- whatever you have for HTTP, SMTP... Also look
with find for all files modified on (or since) January 10th. That may
give some clues.
It needn't be a single root-gaining attack: it could be a
combination of a remote non-root attack (e.g. on apache) and a local
root escalation.
Hugo.
--
=== Hugo Mills: hugo@... carfax.org.uk | darksatanic.net | lug.org.uk ===
PGP key: 515C238D from wwwkeys.eu.pgp.net or http://www.carfax.org.uk
--- In one respect at least, the Martians are a happy people: ---
they have no lawyers.
