Re: glotz???From: lynx (firstname.lastname@example.org)
- Next message: Erik Jan van Westen: "Re: Linux Router and Firewall"
- Previous message: Ian Jones: "Re: glotz???"
- In reply to: penguin: "Re: glotz???"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: lynx <email@example.com> Date: Sun, 16 Dec 2001 19:28:56 -0500
> i need some help getting rid of some virus/worm/trojan that has grabbed
> some root priviledges and stolen some of my root privilidges!!
you need to clean up your system? oh, that's easy:
- unplug all network connections to it NOW.
- back up whatever personal data on it you might want to save.
- reformat, reinstall, restore from backups.
- lockdown and harden the system; disable unneeded services,
minimum privileges on everything, password and/or crypto
protection, that sort of thing. consider running bastille.
- put in a minimally simple firewall. by "minimally simple" i
mean "it blocks everything, and now nothing will go!"
- update your box with *all* the distro's updates until it's
entirely current. yes, even those dozen-megabyte glibc ones.
you'll have to poke a few holes in that firewall to make this
go; make a point to keep them as few and as small as possible.
- shut down networking again after that point.
- go through the whole box again to see that the updates didn't
change something important - watch those .rpmsaved files.
make sure there's nothing running or listening that you don't
*know* you need. if you disable something and something else
breaks, find out *why* the second thing needed the first.
- then go over your firewall again. make sure you *understand*
what it's doing and why.
- consider installing some form of IDS (AIDE, snort) at this
- and only after all that, think about possibly maybe putting
the thing back up online. NOT BEFORE.
sounds like a lot of work? it is. that's why people scream and cuss at
the skr1pt k1dd13s so much. there's not really very much up there you can
take lightly, though; your machine really can't be trusted until you've
gone down that list. have at it, no point waiting any longer.
> I NEED HELP PLEASE
from the description i snipped, you have certainly been hacked. go down
that list i outlined. start now.
-- PGP/GnuPG key (ID 1024D/07A530D6) available from keyservers everywhere Key fingerprint = B5A8 62AD 8263 5415 7C3C 9245 50A7 FD59 07A5 30D6 "...life goes on long after the thrill of living is gone..."