This client was running the Real Audio server and left the administration server running. The RealAudio system is administered through a dedicated port on the server. Once the attacker was able to guess the default password on the server, he was able to upload and execute files within the server's directory. At first, this doesn't seem too terrible until we found a directory that was linked to /etc. This attack compromised all the passwords on the system.
This, like the previous case, was complicated by the fact the the client was running multiple servers from this one machine. His argument was that both the RealAudio and the web servers were performing the same services so why should they be separated. The reason they should be separated is that his revenue generating website was down during the time it took us to respond to the incident. Had he used a dedicated web server, we could have kept the system running while we were solving the RealAudio break in.
Solution -- The latest update of the RealAudio server fixed part of the problem with permissions. Changing the administrator password should have been done at the time of install. Checking system logs showed that we had caught the break in before more back doors could be installed. For precaution, we tested to ensure that the system hadn't been rooted. All passwords on the system were changed.
For information and assistance on these or any other computer related issues, you can contact us by: E-Mail, or by calling 775/741-8278.