Re: Intruder's good job -- Change my root password
From: Andrew (andrtse@hotmail.com)Date: 03/23/02
- Next message: Rxed: "Popup alerts when firewall rule/s are wiolated?"
- Previous message: Rxed: "Re: linux root password"
- In reply to: ERA: "Re: Intruder's good job -- Change my root password"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Andrew" <andrtse@hotmail.com> Date: Sat, 23 Mar 2002 17:05:23 -0500
Thanks. What good suggestions!
In the new installation, I have to first disable all the services except the
basic. I have another machine connecting internet through this Linux box,
which connecting internet through ADSL. What services do I have to keep
enabled in setup? so that crackers can't easily crack my server.
Andrew
"ERA" <era@eracc.hypermart.net> wrote in message
news:gWtomC2dEjRt-pn2-IMudUSJNdJQs@era0...
> On Fri, 22 Mar 2002 22:49:26 UTC, "Andrew"
> <andrtse@hotmail.com> wrote:
>
> + Can anybody lead me back to my home? My RH7.2 connecting to DSL was
> + hacked and changed the root password, and I am now rejected to go
> + back home. [...]
>
> NOTE: Proper NG for this is comp.os.linux.security so I have set the
> Followup for *this reply* to that group and added that group. When
> cross-posting it is proper to always set a specific group for the
> Followup messages.
>
> Your Linux, UNIX, etc. box has been cracked. What now?
>
> 1. Disconnect the infected system NOW! Don't wait.
>
> 2. Get *all* patches for your OS version a.s.a.p. (Now! Today!)
>
> 3. Save the patches to another system / drive / CDR / etc.
>
> 4. BACKUP ANY DATA YOU NEED TO KEEP.
>
> 4a. (Suggested by Pep <PepMozilla@netscape.net> 12-21-2001)
> Do not include any binary programs in your backup as these
> may have been compromised. You should re-install binary
> programs and libraries from their original medium.
>
> 5. Wipe the OS partition / drive clean.
> (You are unlikely to be able to clean up a compromised system by
> hand. So, grit your teeth and reformat that sucker.)
>
> 5a. (Suggested by Andreas Braeutigam <abrae@freenet.de> 02-26-02)
> (This is *not* an exact quote but is a paraphrase)
> Reformat may give the wrong impression that a time consuming
> format of the entire drive is needed. Rather than reformat
> the entire drive wipe out the MBR, partition boot sectors
> root partition and any other partition containing executable
> files that may be compromised.
>
> 6. Reinstall the OS + apps and restore data to the clean partition /
> drive.
>
> 6a. (Suggested by Bill Unruh <unruh@physics.ubc.ca> 12-21-2001)
> Then, scan all of the files which you saved for suid
> programs:
>
> find / -perm +6000 -ls
>
> 6b. (Suggested by Bill Unruh <unruh@physics.ubc.ca> 12-21-2001)
> Make sure that each of those files which are reported
> should actually be suid or sgid.
> If they are system files, check them with:
>
> rpm -Vf /name/of/file
>
> If they are in your or others home directories, they almost
> certainly should not be suid, especially not suid root.
> For example a file in /tmp, or in /usr/share/man should
> never be suid root.
>
> 6c. (Suggested by Pep <PepMozilla@netscape.net> 12-21-2001)
> When you restore your backup, check all system configuration
> files that are restored for any cracks that may have already
> been incorporated into these files.
>
> 6d. (Suggested by Bill Staehle <withheld on req.> 01-07-2002)
>
> find / \( -nouser -o -nogroup \) -exec ls -lad {} \;
>
> and if anything turns up, determine _why_ the user and/or
> group is not in /etc/passwd and/or /etc/group. Who _really_
> owns those files/directories? What are they?
>
> 7. WHILE OFFLINE install all the patches.
>
> 8. Create your own, unique hidden directory and 'cp' files to it
> that are essential to system maintenance like 'ls', 'netstat',
> 'route', 'ifconfig', 'ps', etc.
> (Should you be cracked again, God forbid, as long as you don't
> have a compromised kernel this will allow you to use these copies
> to "see" what a cracker may have done.)
>
> 8a. (Suggested by Andreas Braeutigam <abrae@freenet.de> 02-26-02)
> I'd rather store those copies on a separate system or a
> non-writeable medium. [like a CD-R, floppy diskette with
> write protect on, etc.]
>
>
> 8b. (Suggested by Pep <PepMozilla@netscape.net> 12-21-2001)
> Check your final installation to see that all known security
> bugs have been addressed. There are various utilities that
> you can get to help with this, such as port scanners; etc.
>
> 8c. (Suggested by Pep <PepMozilla@netscape.net> 12-21-2001)
> Install some of the security monitors that exist out there.
> I can't give you the names of all of these but there are
> monitors like portsentry that constantly scan for connections
> to your system, also there are other utilities that
> constantly check your system logs and ones that constantly
> check the system configuration files for any modifications of
> content and/or permissions.
>
> 8d. (Suggested by Bill Staehle <withheld on req.> 01-01-2002)
> [It] would be better if the program files you put into that
> hidden directory are statically compiled, and not using the
> possibly corrupted dynamic libraries. It also assumes that
> the kernel doesn't get messed with. _At this time_ these
> concerns are not big, but why not stay ahead?
>
> 8e. (Suggested by James Knott <james.knott@rogers.com> 01-02-02)
> Mount as much of your filesystem as possible as read only. If
> the crackers can't write to a partition, they can't change
> it. Rename and hide su etc. [as suggested in 8].
>
> 9. Then, and only then, set the box up to get online.
>
> 10. (Suggested by Pep <PepMozilla@netscape.net> 12-21-2001)
> Finally, design and implement a regular backup procedure,
> something you should already have done, so that you can limit
> any future problems you might have with your system, whether from
> cracking; bad configuration; system failure or simply bad users.
>
> 10a. (Suggested by Bill Staehle <withheld on req.> 01-01-2002)
> [For further security] you could have another system sitting
> off a separate network, that randomly grabs a file off of
> this box, and does a file comparison externally. If that
> other system is not accepting ANY connections from ANYWHERE,
> it makes a better intrusion detection system.
>
> What if you have only one machine with one OS installed? You still
> need to disconnect, backup and reinstall. To get the patches ask a
> friend or acquaintance with a secured system to help download the
> patches. Or see if your OS vendor offers the current patches on CD.
> If so, order it.
>
> For further reference see the comp.os.linux.security FAQ:
> http://www.linuxsecurity.com/docs/colsfaq.html
>
> Finally, if all this is too much for you to handle alone consider
> hiring an expert to assist you or to do it for you. However, be aware
> hiring a consultant that is able to help will probably *not* be
> inexpensive. For Linux and UNIX consultants in your area check These:
>
> http://www.pcunix.com/consultants.html
> http://wdb1.caldera.com/sdir_web/owa/ptrLocator.search
> http://www.redhat.com/products/purchase_options/find_reseller.html
>
> ("-" Suggested by Bill Staehle <withheld on req.> 01-07-2002)
> -ftp://ftp.cc.gatech.edu/pub/linux
> -ftp://ftp.freesoftware.com/pub/linux/sunsite
> -ftp://ftp.flash.net/pub/mirrors/metalab.unc.edu/pub/Linux
> -ftp://ftp.yggdrasil.com/mirrors/sunsite
> -ftp://ibiblio.org/pub/Linux
> -
> -Those are anonymous FTP servers. Log in as anonymous, with your
> -email address as password, and change to the indicated directory.
> -Look for the file "MIRRORS" to find a list of other servers that
> -may be more accessabhle to you. Then continue down from this
> -directory to ./docs/linux-doc-project/linux-consultants-guide/
> -and get one of the versions of the Consultants-Guide:
> -
> -Consultants-Guide.html.tar.gz
> -Consultants-Guide.pdf
> -Consultants-Guide.ps.gz
> -Consultants-Guide.sgml.gz
> -Consultants-Guide.txt
>
> Certified or Authorized resellers and/or consultants will be the
> ones most likely to be able to assist you. Those well versed in
> Linux and/or UNIX are usually capable of handling the "lesser OS's"
> as well.
>
> Finally, NEVER use the word "hacking" to describe "cracking" as there
> is a significant difference between a "cracker" and a "hacker". See:
>
> http://www.tuxedo.org/~esr/jargon/html/entry/cracker.html
> http://www.tuxedo.org/~esr/jargon/html/entry/hacker.html
>
> Most of all Good Luck!
>
> Gene <gene@eracc.hypermart.net>
> Caldera Authorized Partner - OpenServer 5+, UnixWare 7+ & OpenLinux
> --
> Owner and C.E.O. - ERA Computer Consulting - Jackson, TN USA .
> OS/2, UnixWare, OpenServer & Linux Business Computing Solutions .
> Please visit our www pages at http://eracc.hypermart.net/ .
> We run IBM OS/2 v.4.00, Revision 9.036
> Sysinfo: 44 Processes, 178 Threads, uptime is 11d 23h 41m 25s 301ms
>
- Next message: Rxed: "Popup alerts when firewall rule/s are wiolated?"
- Previous message: Rxed: "Re: linux root password"
- In reply to: ERA: "Re: Intruder's good job -- Change my root password"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
