Mike Pflugfelder on Tue, 15 Jan 2002 23:50:21 +0100


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Hacked linux server


Title: Message
So, I run a RedHat Linux 7.1 server for our Web, FTP and DNS services.  I've got each of those ports open through our firewall, in addition to SSH for me to manage it.  I was having some problems the other day and rebooted it (yes, the Windows mentality).  It failed to come up cleanly.  I found later when I logged in, the commands netstat, ls, and ps were not working at all.  Grabbed copies from another 7.1 server and found bizarre things on my system.  Went for the chkrootkit floppy and found that I had been hit by something.  Now I've got some questions (and a lot of work ahead of me).
 
First, how can I go about finding the hole that led me to this problem in the first place.  I suspect that it was either bind or ssh that did me in, but I'm not sure, and would really like to know.
 
Next, what steps should I take to prevent this from happening again.  I figure that my starting point would be to get a brand new hard drive and install a new version of Linux on that and start from scratch for a few reasons; I can't trust the system I've got right now and I obviously had some holes somewhere that I want to patch.  I'm also figuring that I need some type of IDS.  I know that there are free ones out there, and ironically enough, I've installed a commercial one for a customer of ours.
 
The commercial products that I have a slight bit of experience with are Enterprise Security Manager and Intruder Alert from Symantec (formerly Axent).  Does anyone else have any experience with these products?  They were priced high enough for my company (in a financial slump) to not purchase them, but I'm going to try again.  What other commercial products are available for intrusion detection, or security management that I should look into?  Are there any open source products that would be easy enough for someone with moderate security knowledge to set up?
 
Finally, what web pages / mailing lists should I start looking at for security updates?  I know that I haven't done much to patch the server since I first installed it, and I know that bugs are being found every day.  I just wish that there was an easier way to keep track of all of the security holes out there...
 
Sorry for all of the questions, but I'm pretty upset right now and not thinking straight.  I'm not sure whether I'm more pissed at the fact that someone without authority was mucking with my server, or the fact that I let him get that far... :(
 
-Mike Pflugfelder