Re: Help!! Have I been attacked/compromised????
From: Bill Unruh (unruh@physics.ubc.ca)Date: 02/27/02
- Previous message: Mathias Gerber: "Re: Help!! Have I been attacked/compromised????"
- In reply to: AjN: "Help!! Have I been attacked/compromised????"
- Next in thread: ERA: "Re: Help!! Have I been attacked/compromised????"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: unruh@physics.ubc.ca (Bill Unruh) Date: 27 Feb 2002 01:07:31 GMT
In <5f2c825d.0202261024.3729c127@posting.google.com> ajay_nath@indiatimes.com (AjN) writes:
]Hello,
]I have been using RH7 on my laptop (non-networked) for several months
]now. Yesterday, I noticed strange messages at startup, which NOW shows
]up on all startups .. (Snipped below from dmesg)
] portmap: RPC call returned error 111
] RPC: task of released request still queued!
] RPC: (task is on xprt_pending)
] portmap: RPC call returned error 111
] RPC: task of released request still queued!
] RPC: (task is on xprt_pending)
] lockd_up: makesock failed, error=-111
] portmap: RPC call returned error 111
] RPC: task of released request still queued!
] RPC: (task is on xprt_pending)
]From web groups, I had heard about attacks. So I ran 'rpm -V procps'
]with the following result:
] rpm -V procps
] SM5....T /bin/ps
] SM5....T /usr/bin/top
]OUCH!!! So I ran the full verify ..
] rpm -Va |grep bin
] S.5....T /bin/netstat
] S.5....T /sbin/ifconfig
] SM5....T /bin/ps
] SM5....T /usr/bin/top
] S.5....T /usr/bin/pstree
] S.5....T /bin/ls
] S.5....T /usr/bin/find
]OUCH!! OUCH!! Definitely compromised! I have not installed any new
]packages for a long time. I do have apache running on the laptop, cuz
]I use it for testing cgi scripts.
]Whats going on? How can I recover? I am a newbie in Linux sysadmin ..
]HELP!!
]Where can I get good security info??
You have been hacked. Definite.
solution-- backup all of your personal information. (also /etc/and
/var/spool)
Reinstall.
put back your personal information. Use /etc backup to bring your new
system to its old state. GEt the stuff from /var/spool that you need (
eg mail files in /var/spool/mail, )
Get all the updates from Redhat and install them.
Change ALL passwords of all users (including root).
Then do
find / -perms +6000 -ls
and look through the suid/sgid files to see if they really should be
suid/sgid. ( Eg, /tmp/banana should not be an suid root file)
Then stop running all services (in /etc/xinetd.d or from the
/etc/rc.d/rc?.d directories) which you do not need.
Do not run telnet, ftp, nfs, portmap,... unless you need them.
Make sure you run ssh to get into your machine from any other system.
Not telnet.
]Thanks!!
- Next message: Luke Vogel: "Re: Help with system attack"
- Previous message: Mathias Gerber: "Re: Help!! Have I been attacked/compromised????"
- In reply to: AjN: "Help!! Have I been attacked/compromised????"
- Next in thread: ERA: "Re: Help!! Have I been attacked/compromised????"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
