Linux server hacked, response time very slow, now I'm in a intercompany war...

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Some background:

My company is one large company with multiple sister companies.  The
sister companies are just like siblings, so none of them get along so
we have 4 distinct IT groups that share one network.

Last Thursday one of the other IT guy's server was hacked.  It was a
linux plesk test server.  The hacker installed a couple of phishing
sites for ebay and paypal.  I received an email from ebay informing me
of the phishing sites.  I informed the IT guy at 10 pm, expecting him
to take it off the network or shut the server down almost immediately.
Seems he just looked at it, then went to sleep.

Fast forward to the next day, the phishing sites are still up.  I get
back on the phone and start getting more assertive with that IT group,
and around 1 pm, 15 hours after identification of a compromised server,
the phishing sites were taken down.

I had the IT guy come into my office and basically try to start a fight
with me because I told him his response times were unacceptable for
this kind of security breach.  Now I'm smack in the middle of a
intercompany IT war.

The actual damage from this security breach was low, because it looks
like the hacker (or cracker depending on how specific you are ;) ) had
not yet released his mass emails for these phishing sites.  Besides two
contacts from ebay, and a contact from an unknown observer, there were
no repercussions.

My question:

Now I have to go into a meeting and explain why that IT guy was not
doing his job properly.  What are possible implications of a rooted
server, sitting on a 10 mbps fiber line to the internet?  Of course it
has a public ip that is tracked right back to us.

Re: Linux server hacked, response time very slow, now I'm in a intercompany war...

extremesanity wrote:

Quoted text here. Click to load it

I rather tend to doubt there will be much consequence directly to you, given
one caveat:  What was the timeline between the attack and your receipt of
the e-mail regarding the site? If you can demonstrate, for example by means
of e-mail printouts, written documents, etc., that you responded more or
less immediately (defined as within less than one business day), then you,
personally should off the hook. Emphasis on 'should be'.

I see three major implications. Company data might have been compromised;
other servers might have been compromised through yours, and your company
might be held liable; there might be negative publicity; and there could
conceivably be some financial loss, owing to the above. There might be
others of which I'm not aware.


Re: Linux server hacked, response time very slow, now I'm in a intercompany war...

[case of slaggy response from IT staff, when a compromised server
 should've been taken offline quickly]

Quoted text here. Click to load it

The primary implications are technical; I think I might be able to
outline some of these. The secondary implications are juridical,
and so depend on your local jurisdiction. I won't be commenting on

I'd concentrate to the implications on your site;
It could be that this compromised server has some access to company
internal machines that an outside machine does not - so this machine
could in that case be used to launch an attack to internal machines,
which have been presumed to be protected by a perimeter firewall.

It could be that the machine contained data confidential to the company
(or even worse, data confidential to customers of business partners of
the company). With a compromised server, you have to assume that all
confidential data on this server is now in unknown hands.
Wolf  a.k.a.  Juha Laiho     Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
         PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

Re: Linux server hacked, response time very slow, now I'm in a intercompany war...

Juha Laiho wrote:
Quoted text here. Click to load it

I think one should also emphasise the financial implications.

If you pay for internet traffic by the MB, of have caps beyond which you
pay extra, then you potentially have someone using your bandwidth via
that server increasing your costs.

Then there is the risk of you being black listed. For example, if the
machine is your outbound mail server and someone starts sending spam
through it then it could be blacklisted causing the emails you send to
be bounced instead of reaching customers.

Then there is the risk of your ISP blocking your service if they receive
complaints about attacks and/or spam and/or your server being used to
host phishing sites.

Then there is the risk of being help legally responsible, especially if
you have not dealt with the problem once you know the server has been
rooted and it is used for illegal activity.

Of course, there is also your moral responsibility.
Flash Gordon, living in interesting times.
Web site - /
comp.lang.c posting guidelines and intro:

Re: Linux server hacked, response time very slow, now I'm in a intercompany war...

Flash Gordon wrote:

Quoted text here. Click to load it

I think that we can all imagine scenarios which could be very damaging for
your company - it may be worth pointing out a few of them and discussing
liability, You have observed use of the site for phishing but the fact that
the machine has been compromised means that it could have been used for
*anything* (even if they got no further than one machine with no non-public
data on it, it could be used for terrorism, drug money laundering, kiddie
pr0n) and you may never be able to find out what.

But its important not to loose sight of the real issue - the length of time
it took before any action was taken to address a known security breach. Too
much conjecture about what may have happened or what anybody can say did
happen is a great tactic for misdirection. Timescales and action paths are
the key stones of a security policy - it should also cover policy on
notification and seizure. And if they are not documented in your policy or
you have no such policy then the person responsible for the policy should
also being getting keel-hauled.

If this is unfamiliar territory, I'd recommend reading

By now, of course, that meeting will have come and gone - so what happenned?


Re: Linux server hacked, response time very slow, now I'm in a intercompany war...

Quoted text here. Click to load it

The meeting was pushed back to today.

Basically 2 other IT guys (who are good friends) and their
unexperienced manager defended their 15 hour window by playing down the
actual damage, and basically saying they were not going to take the 5
minutes to block the machine at the router because the risk was not
significant enough.

Now the 4 IT groups take risk assessments individually and are
responsible for their own LANs.  Pretty shitty resolution if you ask

I hope one day to work in a real organization that takes personal
responsibility, professionalism, and ethical conduct as primary
concerns.  Call me an idealist.  ;)

Re: Linux server hacked, response time very slow, now I'm in a intercompany war...

extremesanity wrote:
Quoted text here. Click to load it

Most 'corporations' have the primary concern of making money for
stockholders; however many are yet to realise operating without the
above mentioned concerns (can/will/has) often lead to disastrous
consequences. It's all a matter of trade-offs; usability/security,
cost/benefit, etc.

Having said that though, wouldn't an ideal world be less interesting?

Re: Linux server hacked, response time very slow, now I'm in a intercompany war...

Quoted text here. Click to load it

I touch on this question in passing in an old article I did for IDG
called "Attacking Linux
( ).  I
hope it's useful to you.

   Some of those processes will be spy programs, running to capture
   login information entered by local users for remote systems elsewhere.
   Those will be logged and conveyed back to the attacker, giving him new
   targets. Some may be network sniffers, monitoring the traffic passing
   nearby, to or from other nearby machines, and likewise capturing private
   information for the bad guys. Those work by putting your network
   interface in promiscuous mode, in which the normal disregarding of other
   machines' network traffic gets disabled. Some may be clandestine network
   services, such as file-swapping, that are useful for the attacker and
   his friends. Most distressing of all, some may be carrying out attacks
   on other systems. The older variety of those involved flooding distant
   machines with either normal or deliberately malformed network traffic
   (ping, ping of death, smurf, SYN flooding, teardrop, land, bonk), as a
   denial of service (DoS) attack. Then starting last year, the
   more-organized DDoS tools (trinoo, Tribal Flood Network, stacheldraht,
   Trank, and so on) came to sudden public attention when they were used to
   overwhelm popular Internet sites. The third-party, subverted machines
   (zombies) used to carry out those attacks appear to have been university
   machines, favored for their lax security and high Internet bandwidth,
   but your Linux hosts could be the attackers' next tools.

   Even if your machines don't cause you that order of embarrassment, the
   other risks are equally grim: you can reveal confidential data with
   business and/or personal consequences, lose that data entirely, see it
   corrupted or sabotaged, be involved in wrongful or even criminal
   activity, lose access to your computing resources, and indirectly cause
   harm to your staff and business associates. Your Website can be defaced
   or modified, or visitors might be redirected by sabotaged company DNS
   servers to entirely different sites.

Basically, the bad guys are given carte blanche to do basically _any_
wrongful act with impunity, and implicate your firm in the process.
The less diligently your firm acts to end and mitigate the incursion,
the more likely it is to be held responsible as a negligent participant.

Site Timeline