|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] Hacked linux server
|
Try Red Hat up2date. There were a whole slew of
security patches for RH 7.1 over the weekend; sudo,
mutt, pine, groff, xchat, etc...
https://www.redhat.com/support/errata/rh71-errata.html
I wouldn't be surprised if your hackers were just a
little more on top of the latest exploits than you
were. Use up2date to automate security patches. It's
very easy.
For those running RH Ximian, subscribe to the Red Hat
channel and you will get all the latest RH security
patches that way. It is the exact same service as
up2date. We've tested it side-by-side.
http://www.mlug.ca/sklav/stories/January_issue2002
Jerry
--- Mike Pflugfelder <mikep@keyinfosys.com> wrote:
> So, I run a RedHat Linux 7.1 server for our Web, FTP
> and DNS services. I've
> got each of those ports open through our firewall,
> in addition to SSH for me
> to manage it. I was having some problems the other
> day and rebooted it
> (yes, the Windows mentality). It failed to come up
> cleanly. I found later
> when I logged in, the commands netstat, ls, and ps
> were not working at all.
> Grabbed copies from another 7.1 server and found
> bizarre things on my
> system. Went for the chkrootkit floppy and found
> that I had been hit by
> something. Now I've got some questions (and a lot
> of work ahead of me).
>
> First, how can I go about finding the hole that led
> me to this problem in
> the first place. I suspect that it was either bind
> or ssh that did me in,
> but I'm not sure, and would really like to know.
>
> Next, what steps should I take to prevent this from
> happening again. I
> figure that my starting point would be to get a
> brand new hard drive and
> install a new version of Linux on that and start
> from scratch for a few
> reasons; I can't trust the system I've got right now
> and I obviously had
> some holes somewhere that I want to patch. I'm also
> figuring that I need
> some type of IDS. I know that there are free ones
> out there, and ironically
> enough, I've installed a commercial one for a
> customer of ours.
>
> The commercial products that I have a slight bit of
> experience with are
> Enterprise Security Manager and Intruder Alert from
> Symantec (formerly
> Axent). Does anyone else have any experience with
> these products? They
> were priced high enough for my company (in a
> financial slump) to not
> purchase them, but I'm going to try again. What
> other commercial products
> are available for intrusion detection, or security
> management that I should
> look into? Are there any open source products that
> would be easy enough for
> someone with moderate security knowledge to set up?
>
> Finally, what web pages / mailing lists should I
> start looking at for
> security updates? I know that I haven't done much
> to patch the server since
> I first installed it, and I know that bugs are being
> found every day. I
> just wish that there was an easier way to keep track
> of all of the security
> holes out there...
>
> Sorry for all of the questions, but I'm pretty upset
> right now and not
> thinking straight. I'm not sure whether I'm more
> pissed at the fact that
> someone without authority was mucking with my
> server, or the fact that I let
> him get that far... :(
>
> -Mike Pflugfelder
>
=====
The Cherry hill Linux User's Group
meets on the first Monday of every month.
http://www.chlug.org
__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/
______________________________________________________________________
Philadelphia Linux Users Group - http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion - http://lists.phillylinux.org/mail/listinfo/plug
|
|