• @Anonymouse
    link
    English
    95 months ago

    I don’t know if this applies directly, but in my early days of hosting a server for fun, I installed a telnet server because my phone didn’t have SSH at the time. I forgot to close it when i was done and someone got in and installed a password sniffer. This was a Slackware box, IIRC. My only indication that there was a problem was that the “.” & “…” directories didn’t appear from an “ls -Alf”. I pulled the network cable and booted to a boot image and discovered that many key system utilities were replaced with imposters that would mask that there was an intruder. The '“ps”, “ls” and other utils were symlinked to the “…” dir in /usr/local/lib.

    I didn’t trust anything on that server and nuked it. Now, anything that’s internet facing is built from ansible and the config is stored in a repo and the repo is backed up on a drive that’s physically disconnected except when backing up. I’ve messed up the initrd from time to time and it’s usuall easier for me to reimage than try to fix it.