[sudo-sys] server compromise debrief
Matthew Senate
mattsenate at gmail.com
Tue May 27 10:55:29 PDT 2014
Thanks Jordan for your diligence and an excellent "beside manner" with the
Linode support technicians!
// Matt
On Tue, May 27, 2014 at 10:43 AM, Yar <yardenack at gmail.com> wrote:
> Last week the sudoroom.org server had a compromise. We are pretty sure
> that it was caused by an outdated Tor which I had stupidly installed
> from Ubuntu's repos instead of from torproject.org. Tor was running as
> a client and serving some .onion addresses but was not any kind of
> relay or middle/exit node.
>
> On Monday (May 19) Linode started getting complaints that our ip
> address was scanning parts of the internet for port 22. At that point
> we started auditing and upgrading some neglected services. We also
> started filtering and logging outgoing iptables. The next day we
> caught another scan in progress and realized it was probably the
> "debian-tor" user, so we switched to the more up-to-date package from
> torproject.org. We haven't seen another scan since then.
>
> We will keep most outgoing packets filtered at least until we switch
> to a new server. That's going to happen soon, as soon as sudoroom has
> a proper debit card. We can open up specific ports meanwhile if you
> need them.
>
> The drama is probably over but this is just to let you all know that
> happened.
> _______________________________________________
> sudo-sys mailing list
> sudo-sys at lists.sudoroom.org
> https://lists.sudoroom.org/listinfo/sudo-sys
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sudoroom.org/pipermail/sudo-sys/attachments/20140527/5f18a758/attachment.html>
More information about the sudo-sys
mailing list