Re: [sudo-sys] server compromise debrief

Last week the sudoroom.org server had a compromise. We are pretty sure that it was caused by an outdated Tor which I had stupidly installed from Ubuntu's repos instead of from torproject.org. Tor was running as a client and serving some .onion addresses but was not any kind of relay or middle/exit node. On Monday (May 19) Linode started getting complaints that our ip address was scanning parts of the internet for port 22. At that point we started auditing and upgrading some neglected services. We also started filtering and logging outgoing iptables. The next day we caught another scan in progress and realized it was probably the "debian-tor" user, so we switched to the more up-to-date package from torproject.org. We haven't seen another scan since then. We will keep most outgoing packets filtered at least until we switch to a new server. That's going to happen soon, as soon as sudoroom has a proper debit card. We can open up specific ports meanwhile if you need them. The drama is probably over but this is just to let you all know that happened. _______________________________________________ sudo-sys mailing list sudo-sys(a)lists.sudoroom.org https://lists.sudoroom.org/listinfo/sudo-sys