Security Risk:Writeable /var/temp
The first attack against us was to a hosted site for the government of Dagupan city. The second one was to a writeable /var/temp on an apache hosted sites. The third one (that we know of) is to another apache hosted site.
This third time, the hacker, presumably a hacker by the name of cosmin (from the id in the files) used the uploaded files (zbind) to launch ssh attacks against other servers around the world. The attacks are a form of brute force against SSH authentication of the target servers. As a result, a lot of server admins are up in arms about this latest incident.
The vulnerability was traced to the /var/temp that was writeable. We had warned our hosted clients that these were a security risk, but some web developers needed time to convert their applications and so, needed the directory to be writeable.
To the internet community at large, please take a look at your servers and make sure that the /var/temp is not writeable. Also, restrict the SSH to listen only to a range of allowed IP addresses and not to the whole of the internet at large.
Filed under: Computing, Security