One of my customers is down...
Jay R. Ashworth
jra at baylink.com
Fri Sep 14 10:18:29 PDT 2007
On Fri, Sep 14, 2007 at 12:07:45PM -0500, Mike Schwartz wrote:
> One of my agricultural customers thinks somebody was trying to
> hack into their Linux (filepro version 5.6.??) server last night.
> Their firewall paged their systems guy at 2:00 AM this morning,
> telling him that there were thousands of login attempts going on,
> so he shut down their servers. Of course, they changed all their
> passwords this morning and so forth before bringing the system back
> up, and the system is off of their network right now, so I canât
> log into it and see what is going on.
There are several Linux attack programs out there that try dictionary
attacks on the ssh daemon, and older sshd's had a different hole that
would provide a root shell without a valid login.
Check /var/log/messages to see if they were getting hammered.
> This morning, whenever they go into a filepro file using an
> index, they are immediately kicked back to the filepro main menu.
> They select #4, Index Selection, then index âAâ, or â1â,
> and then type in a value to search for. As soon as they press
> âEscâ, they get kicked back to the main menu.
>
> Unless any of you have a suggestion, I am going to try to
> talk them through: 1) reinstalling filepro and, if that fails, 2)
> restoring their whole server from their BRU backups.
I don't know that that will be enough.
Unless this was a targeted attack, the most likely situation, off hand,
is that a crack attack succeeded, and the machine's been rootkitted in
a way that makes the filepro binaries not run.
I can't imagine anyone target-attacking filepro. :-}
You're likely going to have to back up the data files, and do a
restore to a full save earlier than the attack, and then layer the data
back on.
I hope you have them *doing* full saves (plug here for BackupEdge).
Cheers,
-- jra
--
Jay R. Ashworth Baylink jra at baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://baylink.pitas.com '87 e24
St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
More information about the Filepro-list
mailing list