If you suspect that your server is attacked successfully, remove the server from operation immediately, plug out all network connections and execute your emergency plan. Do you have plans for such scenarios? You should... If you do not have such an emergency plan then maybe the easiest and most secure way is to reinstall the whole system.
5. Are my Linux servers safe now?
If you deployed security patches quickly and you have checked that your server software were not affected and/or there is no sign of any attack then you can sit back.
However we don't have information on all software mainly we don't know how much 3rd party software is affected. For example many email security, anti-spam software process email headers and take every Received: header line and they try to resolve host names found in these headers to check them against bad IP databases. So theoretically a specially crafted email message can contain exploit code.
Of course this is only a speculation but it points out that we can never be cautious enough because sometimes the possible consequences of vulnerability cannot be predicted.
It is better to take more attention to your servers, log files and web sites of your Linux distribution and also the web sites of vendors of any 3rd party software you use on your servers in the next few days to make sure that you do not miss anything important regarding this vulnerability.
6. Is there anything I can do to be prepared for future vulnerabilities?
Just ask yourself: were you nervous after reading the security advisory about "GHOST"? If you just need to execute previously defined steps, such as updating your infrastructure, to make sure that your system is secure then you did a great job as you prepared. However existing processes and infrastructure can always be improved.
Take this time and think about your systems and processes:
- - Is there a faster way to deploy security fixes?
- - Is there any unnecessary/unused service that you can shut down to minimize attack surface?
- - Is there any setting, functionality of any currently used software that you can switch off?
- - Are you subscribed to security advisory alerts? Did you receive "GHOST" alerts in time?
- - Is anybody watching security alerts 24/7 to take all necessary steps immediately when needed?
7. What should I do as an Internet user?
You cannot do much. You are unlikely to be affected by this vulnerability. There is a very small chance that an attacker could send you a fake email or catch your email via a hacked email server or access your personal information stored on a hacked server but the probability is low enough that you should not be worried.
- Szilard Stange is director of product management at OPSWAT