[haiku-sysadmin] Re: Notification for 78.46.189.221 -> port80:ERROR / port22:ERROR / port443:ERROR / ping:ERROR
- From: Urias McCullough <umccullough@xxxxxxxxx>
- To: haiku-sysadmin@xxxxxxxxxxxxx
- Date: Tue, 22 Sep 2015 21:01:53 -0700
On Tue, Sep 22, 2015 at 8:31 PM, waddlesplash <waddlesplash@xxxxxxxxx> wrote:
On Tue, Sep 22, 2015 at 11:04 PM, <kallisti5@xxxxxxxxxxx> wrote:
My recommendation is to lock down baron and vmweb.
Urias, only allow yourself access. I can easily assume you
had nothing to do with what's going on currently.
We need to re-validate that things are secure and try to
figure out what's going on.
I don't know what's going on - I haven't logged in since the sudo
incident. I do know that a Drupal vulnerability was patched about a
week ago, and we were a bit late in patching; but Drupal/PHP/Apache
don't run as root, so an attacker shouldn't have been able to cause
this, even if they did get in...
I wasn't necessarily accusing anyone in our "team"... and by
"suspicious" I did mean that perhaps vmweb has been compromised
remotely.
I sorta doubt it was the Drupal vulnerability since apache runs under
a non-root account (at least, it should have... I'll have to verify
that once it's running again).
However, we probably should audit our security and admin users,
removing anyone who has been inactive (probably reach out to them
beforehand to make sure they're OK with it).
Shortly, I'll start it back up and monitor it for a bit to make sure
nothing strange is going on. Got a few more evening chores to take
care of first.
- Urias
Other related posts:
