Security Issue
Preston Kutzner
shizzlecash at gmail.com
Thu Feb 12 20:09:04 UTC 2009
On Feb 12, 2009, at 1:23 PM, Walton Hoops wrote:
> I had already checked the SSH logs, and just checked 'em again using
> the grep lines you suggested. The last time anyone sshed in was 3
> days prior, and it was me :-). Su was not used at all.
> The open services on the machine are:
> SSH - which we covered
> IMAPS (Dovecot) - Showed no unusual activity, just the usual spam
> from my filters
> STMP/STMPS (Sendmail) - Also showed no unusual activity
> MySQL - Shows only logins from Wordpress and PHPBB
> HTTP/HTTPS (Apache) - Just googlebot (my page doesn't get many
> visitors), and me checking vnstat.
Is your PHPBB installation up to date with the latest version/
patches? PHPBB is notorious for being a vector for security
breaches. It is possible someone hacked your machine through PHPBB.
I would double-check your apache logs for any odd transfers during
that time-frame. Also, do a netstat -tap to double check those are
the only services open on your box.
Outside of that, do you have your system set up to automatically
download / install Ubuntu updates? I know this is a new option in
Intrepid. It is possible that's when your system decided to run its
updates. I don't use it personally, but I believe the logs for it are
stored in /var/log/unattended-upgrades You can also check /var/log/
apt/term.log* and/or /var/log/aptitude to see if apt did anything
during that time.
More information about the ubuntu-users
mailing list