On Thu, Jan 25, 2018 at 3:38 AM, Durumdara <durumdara@gmail.com> wrote:
> Dear Members!
>
> Thank you for the suggestions.
> Yes, the sysadmin allowed incoming connections from net.
> We will check your list when we are there.
Don't bother. We have a confirmed attack, time to take immediate remediation.
1. Disconnect machine from network _immediately_ and move to DMZ
2. Create new server and dump/restore data to the new machine
3. Determine if hacker was able to compromise to the rest of your
network. Warning signs:
*) installed extensions you didn't install dblink, plsh, plperl, etc
*) strange errors in database log
*) starnge errors syslog (is this linux/unix?)
4. Poor network security (hands free ps access to other boxes, etc)
Put short, you have to assume your network is compromised and only
change that assumption when disproven. These days, if hacker has
shell access you pretty much have reinstall the box from the ground
up. Root escalation is a thing (there are probably meltdown related
escalations out there) and once the hacker has root it's game over.
In fact, in some cases you have to throw out the hardware too.
merlin
