|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
RE: [PLUG] Hacked linux server
|
Shouldn't LIDS stop that from happening?
How were you firewalling your machine? Did you remember to perform an NMAP
or NESSUS scan on your machine before allowing it on the net?
SecuritySpace.com also has some pretty elaborate scans that search for a
slew of vulnerbilities.
One trick that I have found useful is to limit, through the firewall, which
IPs are allowed to access SSH. That prevents the hackers from using one of
the SSH password tools from getting in. I also place my publicly accessible
servers in a DMZ with a backup plan in place.
Charles
-----Original Message-----
From: plug-admin@lists.phillylinux.org
[mailto:plug-admin@lists.phillylinux.org]On Behalf Of epike@isinet.com
Sent: Tuesday, January 15, 2002 5:59 PM
To: plug@lists.phillylinux.org
Subject: Re: [PLUG] Hacked linux server
Were in a similar situation last year on a friend's home
computer on cable ... hacked just within 2 days of install.
we were trying to look at the logs at /var/log/messages,
/var/log/secure, /var/log/xferlog, etc...but we couldn't
find it! he's erased the _entire_ var directory.
we were able to view his last activities by the root
SHELL HISTORY..apparently there were still some left
in the command buffer after he nuked the filesystems (left in
the buffer so his last 5 or so commands were "pico",
"rm -r" and some such. after comparing with a reference
install we figured he got in by a patched /bin/login
and got that in by wu-ftpd...
so anyhow I guess this wouldnt help you much...anyway just
in case maybe he still has some trace in .bash_history
Also I started configuring TRIPWIRE after that...won't
really stop it, but its a great intrusion detector.
JondZ
>
> This message is in MIME format. Since your mail reader does not understand
> this format, some or all of this message may not be legible.
>
> ------_=_NextPart_001_01C19E15.6A6154F0
> Content-Type: text/plain
>
> So, I run a RedHat Linux 7.1 server for our Web, FTP and DNS services.
> I've got each of those ports open through our firewall, in addition to
> SSH for me to manage it. I was having some problems the other day and
> rebooted it (yes, the Windows mentality). It failed to come up cleanly.
> I found later when I logged in, the commands netstat, ls, and ps were
> not working at all. Grabbed copies from another 7.1 server and found
> bizarre things on my system. Went for the chkrootkit floppy and found
> that I had been hit by something. Now I've got some questions (and a
> lot of work ahead of me).
______________________________________________________________________
Philadelphia Linux Users Group - http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion - http://lists.phillylinux.org/mail/listinfo/plug
______________________________________________________________________
Philadelphia Linux Users Group - http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion - http://lists.phillylinux.org/mail/listinfo/plug
|
|