Re: Help!! Have I been attacked/compromised????
From: Eugene Rosenzweig (ugn@hotmail.com)Date: 02/27/02
- Previous message: James Riden: "Re: Crypto info"
- In reply to: Tim Haynes: "Re: Help!! Have I been attacked/compromised????"
- Next in thread: Mathias Gerber: "Re: Help!! Have I been attacked/compromised????"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Eugene Rosenzweig" <ugn@hotmail.com> Date: Wed, 27 Feb 2002 23:37:17 +1100
check your /etc/passwd for any stray accounts
check xinetd.conf or every file in xinetd.d for any services you did not put
there
check all startup scripts for trojans ran from there on startup
I think I did rpm -Va to verify everything on the system
notice the file creation time for the planted files and search for any file
with same date/time
check all the /var/log/* for records of anauthorised access
some suggestions I read elsewhere:
find all suid root programs:
find / -perm +6000 -ls
find all programs with bogus user/group:
find / \( -nouser -o -nogroup \) -exec ls -lad {} \;
secutiry faq:
http://www.linuxsecurity.com/docs/colsfaq.html
scan yourself from one of many online scanners to see if you have any ports
open, strange services running or get nmap and scan yourself from your own
machine.
"Tim Haynes" <usenet@stirfried.vegetable.org.uk> wrote in message
news:86y9hgkr9w.fsf@potato.vegetable.org.uk...
> ajay_nath@indiatimes.com (AjN) writes:
>
> [snip]
> > From web groups, I had heard about attacks. So I ran 'rpm -V procps'
> > with the following result:
> >
> > rpm -V procps
> > SM5....T /bin/ps
> > SM5....T /usr/bin/top
> >
> > OUCH!!! So I ran the full verify ..
> >
> > rpm -Va |grep bin
> > S.5....T /bin/netstat
> > S.5....T /sbin/ifconfig
> > SM5....T /bin/ps
> > SM5....T /usr/bin/top
> > S.5....T /usr/bin/pstree
> > S.5....T /bin/ls
> > S.5....T /usr/bin/find
> >
> > OUCH!! OUCH!! Definitely compromised!
>
> Congratulations.
>
> > I have not installed any new packages for a long time.
>
> Duh.
>
> > I do have apache running on the laptop, cuz I use it for testing cgi
> > scripts.
> >
> > Whats going on? How can I recover? I am a newbie in Linux sysadmin ..
> > HELP!!
> > Where can I get good security info??
>
> Get that crock off my Internet now. Start from
> <http://www.cert.mil/techtips/root_compromise.htm#E> onwards. Get offline,
> reinstall, remove unnecessary crap (socket listeners in particular), apply
> patches, firewall like buggery, install an IDS and nIDS, secure any
> listeners you really need, consider putting it back online if you really
> must.
>
> You might want to take a last backup partially for backup's sake, and
> partly for forensics' sake, at the appropriate moment.
>
> Come back tomorrow and update all packages.
> Come back tomorrow and update all packages.
>
> Come back tomorrow and update all packages.
>
> Come back tomorrow and update all packages.
>
> ~Tim
> --
> The night skips the sleeping years
|piglet@stirfried.vegetable.org.uk
> And re-awakes the memory |http://spodzone.org.uk/
- Next message: Tim Haynes: "Re: Help with system attack"
- Previous message: James Riden: "Re: Crypto info"
- In reply to: Tim Haynes: "Re: Help!! Have I been attacked/compromised????"
- Next in thread: Mathias Gerber: "Re: Help!! Have I been attacked/compromised????"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
