pitter patter on the keyboard

Has your outdated wordpress or other shrinkwrapware been compromised? (Yes >.>)

After taking steps to shut down the site you should probably use the find command to check to see if there are any unusual files which have been uploaded recently. If you scramble to close the hole and do updates before this step you will likely end up drowning any suspects in the results.

If you don’t remove, for example, a phishing page before plugging the hole you:

• May never find out it’s there
• Are contributing to phishing
• One day your ISP will probably forward you a sternly worded letter from the victimized institution and threaten to drop your service if the page is not removed in 24 hours

Use your imagination if it’s something worse, like a rootkit or webshell.

It is necessary to determine the earliest possible time the attack could have taken place. It won’t kill you to add a day or two for safety.

# find /var/www/localhost/htdocs/ -type f -ctime -X

Where X is the number of days to look back.

You may need to open the LDAP port on your Zimbra server:

# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 389 -j ACCEPT

Determine your Zimbra LDAP password:

# su - zimbra
$ $ zmlocalconfig -s zimbra_ldap_password
zimbra_ldap_password = XXXXXXXXXXXX

Open the Barracuda Spam Firewall administration interface. Click the Domains tab. Click the Modify link next to the domain(s) you would like to enable bad recipient rejection for. Click on the LDAP Configuration sub-tab under the Users tab. Retain all defaults except:

• LDAP Server – Change this to the host name of your Zimbra server
• Bind DN (Username) – Change this to uid=zimbra,cn=admins,cn=zimbra
• Bind Password – Change this to your zimbra_ldap_password

The much-anticipated The Pirate Bay documentary covers the events surrounding the trial and conviction of TPB founders.