One of my customers is down...

Jay R. Ashworth jra at baylink.com
Fri Sep 14 10:18:29 PDT 2007 

On Fri, Sep 14, 2007 at 12:07:45PM -0500, Mike Schwartz wrote:
>         One of my agricultural customers thinks somebody was trying to
>    hack into their Linux (filepro version 5.6.??) server last night.
>    Their firewall paged their systems guy at 2:00 AM this morning,
>    telling him that there were thousands of login attempts going on,
>    so he shut down their servers. Of course, they changed all their
>    passwords this morning and so forth before bringing the system back
>    up, and the system is off of their network right now, so I can’t
>    log into it and see what is going on.

There are several Linux attack programs out there that try dictionary
attacks on the ssh daemon, and older sshd's had a different hole that
would provide a root shell without a valid login.

Check /var/log/messages to see if they were getting hammered.

>         This morning, whenever they go into a filepro file using an
>    index, they are immediately kicked back to the filepro main menu.
>    They select #4, Index Selection, then index “A”, or “1”,
>    and then type in a value to search for. As soon as they press
>    “Esc”, they get kicked back to the main menu.
>
>         Unless any of you have a suggestion, I am going to try to
>    talk them through: 1) reinstalling filepro and, if that fails, 2)
>    restoring their whole server from their BRU backups.

I don't know that that will be enough.

Unless this was a targeted attack, the most likely situation, off hand,
is that a crack attack succeeded, and the machine's been rootkitted in
a way that makes the filepro binaries not run.

I can't imagine anyone target-attacking filepro.  :-}

You're likely going to have to back up the data files, and do a
restore to a full save earlier than the attack, and then layer the data
back on.

I hope you have them *doing* full saves (plug here for BackupEdge).

Cheers,
-- jra

-- 
Jay R. Ashworth                   Baylink                      jra at baylink.com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates     http://baylink.pitas.com                     '87 e24
St Petersburg FL USA      http://photo.imageinc.us             +1 727 647 1274

More information about the Filepro-list mailing list