[sudo-sys] server compromise debrief
Yar
yardenack at gmail.com
Tue May 27 10:43:14 PDT 2014
Last week the sudoroom.org server had a compromise. We are pretty sure
that it was caused by an outdated Tor which I had stupidly installed
from Ubuntu's repos instead of from torproject.org. Tor was running as
a client and serving some .onion addresses but was not any kind of
relay or middle/exit node.
On Monday (May 19) Linode started getting complaints that our ip
address was scanning parts of the internet for port 22. At that point
we started auditing and upgrading some neglected services. We also
started filtering and logging outgoing iptables. The next day we
caught another scan in progress and realized it was probably the
"debian-tor" user, so we switched to the more up-to-date package from
torproject.org. We haven't seen another scan since then.
We will keep most outgoing packets filtered at least until we switch
to a new server. That's going to happen soon, as soon as sudoroom has
a proper debit card. We can open up specific ports meanwhile if you
need them.
The drama is probably over but this is just to let you all know that happened.
More information about the sudo-sys
mailing list