Tugger the SLUGger!SLUG Mailing List Archives

Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)


I suspect a bunch of people are going to jump into this thread, but to
get in early, some stories:

 - a Red Hat 5 box left to rot (this was some time ago now!), became a
   host for warez and ended up comprising something like half of its
   very substantial network's total traffic.

 - a sendmail install which was either set up as an open relay or
   compromised and turned into one, noticed almost immediately because
   of massive network usage

 - an up-to-date machine run by a competant hobbyist sysadmin of a skill
   level comprable to many people posting here, turned out to be an
   compromise through a WordPress install that wasn't up to date, took a
   while to track down apparently, it was participating in DDoS attacks

And of course, in November 2003, debian.org itself was the victim of an
attack by, I think, a still unknown vector:
http://www.debian.org/News/2003/20031121 but that might not meet your
criteria of having been used for a nefarious purpose as opposed to
'just' having been broken into.

The (few) security consultants I know seem to have universally had their
personal machines compromised at some point, this seems to partly be a
result of being more likely to notice, and partly due to attending
security conferences, where the networks are extremely hostile.

I suspect attacks through web apps like WordPress are pretty common
causes of comprise of machines run by essentially knowledgable people at
the moment, because there doesn't seem yet to be a good set of best
practices for packaging and updating them (upstream tends to aims their
instructions at people who might not even have shell access, let alone
root access, and there's the whole plugin universe too).

-Mary