How do you handle this?

We run a quite secure shared environment. Shell, Cron, and PHP are all available, but chrooted and all processses run as the customer's userid.

When a customer's code is exploited (such as recent vulnerabilities in X-Cart, Phorum, etc), allowing anonymous clods to upload remote shell daemons and such, they can only get into the customer's account.

But once they do, they can wreak havoc, such as the Brazilian hacker who launched an 80Mb/sec pingflood from inside a customer account last week, or the Indian hacker who uploaded a bulkmailer system and sent out thousands of Amazon scam spams yesterday.

One option, when we detect such an event and end the undesirable behavior, is to disable the customer's account. Or, we could spend lots of time investigating the exact vector of attack and only plug the hole. Sometimes this'll be easy, sometimes maybe not.

How do other hosts deal with this sort of thing? What is your incident response policy?

 

 

 

 

Top