السلام عليكم
بعد مشاكل عديدة بسبب ارسال رسال spam من سرفري القديم ، أرسلت لي إفري وان هذه النصائح :
Our investigation found that your server was only exploited. No rootkits
were installed. Nor was root access achieved. None of you local user
accounts had started the attack sript either.
Simply put, the hacker exploited the system, most likely via an
apache/website script, achieved a terminal shell connection simular to ssh
and telnet, then proceeded to launched an outbound attack and did nothing
else to the system.
Some of the best ways to secure the server are: Have apache run under it's
own user name (apache or httpd). Have the "user" account for apache be
unable to execute files located in /tmp and /var/tmp directories. Also
have the user account "nobody" should have these execution rights removed
also. Nor should apache have access to execute any other applications
beyond php/cgi/perl/ect to prevent future exploitation.
Then you want to comb thru the httpd and other logs under /var/log/ and
see if you can identify the means with which the hacker exploited the
system to gain access. (IE did they use a buffer overflow exploit on
apache? Or did they take advantage of some security hole on a website's
perl/cgi/php/ect script ? Was the ftp service exploited?) Once the
security hole that they came in on has been identified, you can set out to
secure the server so that it's not exploited once more via that hole.
المطلوب الآن يا أهل الخير ، أن تدلونا على طيفية تطبيقها ، فكيف أشغل الأباتشي تحت اسمه ؟ ( Have apache run under it'sown user name )
أو كيف أمنع العضو من استخدام مجلد tmp ؟ ( Have the "user" account for apache be
unable to execute files located in /tmp and /var/tmp directories )
إلى آخر ما هناك من بنود في نصائحهم
و شكرا مقدما لكل من ساهم