[Gnumed-devel] URGENT - hherb.com hacked

[Horst Herb]

hherb.com has been hacked, a root kit installed.
This happened probably on 15th of November (at least some of the kitted files 
like rm, chmod, login, ifconfig etc. bear such time stamp and log entries 
before that date look unsuspicious)

I am in the process of cleaning up, but it is not easy.
I rsynced the whole server onto a safe machine, but databases need to be 
backed up.

Everybody with access to hherb.com: please back up immediately all your own 
files, especially database dumps.

The network interface was set into promiscuous mode at least since 15th of 
November - if you logged in after that, consider your passwords compromised 
and change it on all other systems if you use the same one (which you 
shouldn't)

I will switch that server off on Tuesday, replacement will probably be 
seamless - I have already commissioned a much faster machine (with 1 GB RAM 
and 160 GB hdd on a 100MBit internet connection) - but for that one I will 
not allow others to get root-alike access anymore, after the current 
disaster.

The new server will be firewalled *on top* of the firewall that was/is 
provided by the data centre.

I don't know yet how the root kit was installed. Since 15th, I have been 
syncing the logs onto a local machine and watched all activity - the intruder 
appears to have abused the machine for spamming, hasn't defaced anything. 

The server didn't contain any confidential data, was purely used for open 
source projects, hence no data theft possible.

I could trace the intruder to a few other hacked sites, where he has deposited 
lists with hundreds of thousands of "valid" e-mail addresses, but I have not 
been able to identify the intruder yet

Horst