| Mike Pflugfelder on Tue, 15 Jan 2002 23:50:21 +0100 |
|
Title: Message So, I run a RedHat
Linux 7.1 server for our Web, FTP and DNS services. I've got each of those
ports open through our firewall, in addition to SSH for me to manage it. I
was having some problems the other day and rebooted it (yes, the Windows
mentality). It failed to come up cleanly. I found later when I
logged in, the commands netstat, ls, and ps were not working at all.
Grabbed copies from another 7.1 server and found bizarre things on my
system. Went for the chkrootkit floppy and found that I had been hit by
something. Now I've got some questions (and a lot of work ahead of
me).
First, how can I go
about finding the hole that led me to this problem in the first place. I
suspect that it was either bind or ssh that did me in, but I'm not sure, and
would really like to know.
Next, what steps
should I take to prevent this from happening again. I figure that my
starting point would be to get a brand new hard drive and install a new version
of Linux on that and start from scratch for a few reasons; I can't trust the
system I've got right now and I obviously had some holes somewhere that I want
to patch. I'm also figuring that I need some type of IDS. I know
that there are free ones out there, and ironically enough, I've installed a
commercial one for a customer of ours.
The commercial
products that I have a slight bit of experience with are Enterprise Security
Manager and Intruder Alert from Symantec (formerly Axent). Does anyone
else have any experience with these products? They were priced high enough
for my company (in a financial slump) to not purchase them, but I'm going to try
again. What other commercial products are available for intrusion
detection, or security management that I should look into? Are there any
open source products that would be easy enough for someone with moderate
security knowledge to set up?
Finally, what web
pages / mailing lists should I start looking at for security updates? I
know that I haven't done much to patch the server since I first installed it,
and I know that bugs are being found every day. I just wish that there was
an easier way to keep track of all of the security holes out
there...
Sorry for all of the
questions, but I'm pretty upset right now and not thinking straight. I'm
not sure whether I'm more pissed at the fact that someone without authority was
mucking with my server, or the fact that I let him get that far...
:(
-Mike
Pflugfelder
|
|