Re: Intruder's good job -- Change my root password

From: Andrew (
Date: 03/23/02

From: "Andrew" <>
Date: Sat, 23 Mar 2002 17:05:23 -0500

Thanks. What good suggestions!
In the new installation, I have to first disable all the services except the
basic. I have another machine connecting internet through this Linux box,
which connecting internet through ADSL. What services do I have to keep
enabled in setup? so that crackers can't easily crack my server.


"ERA" <> wrote in message
> On Fri, 22 Mar 2002 22:49:26 UTC, "Andrew"
> <> wrote:
> + Can anybody lead me back to my home? My RH7.2 connecting to DSL was
> + hacked and changed the root password, and I am now rejected to go
> + back home. [...]
> NOTE: Proper NG for this is so I have set the
> Followup for *this reply* to that group and added that group. When
> cross-posting it is proper to always set a specific group for the
> Followup messages.
> Your Linux, UNIX, etc. box has been cracked. What now?
> 1. Disconnect the infected system NOW! Don't wait.
> 2. Get *all* patches for your OS version a.s.a.p. (Now! Today!)
> 3. Save the patches to another system / drive / CDR / etc.
> 4a. (Suggested by Pep <> 12-21-2001)
> Do not include any binary programs in your backup as these
> may have been compromised. You should re-install binary
> programs and libraries from their original medium.
> 5. Wipe the OS partition / drive clean.
> (You are unlikely to be able to clean up a compromised system by
> hand. So, grit your teeth and reformat that sucker.)
> 5a. (Suggested by Andreas Braeutigam <> 02-26-02)
> (This is *not* an exact quote but is a paraphrase)
> Reformat may give the wrong impression that a time consuming
> format of the entire drive is needed. Rather than reformat
> the entire drive wipe out the MBR, partition boot sectors
> root partition and any other partition containing executable
> files that may be compromised.
> 6. Reinstall the OS + apps and restore data to the clean partition /
> drive.
> 6a. (Suggested by Bill Unruh <> 12-21-2001)
> Then, scan all of the files which you saved for suid
> programs:
> find / -perm +6000 -ls
> 6b. (Suggested by Bill Unruh <> 12-21-2001)
> Make sure that each of those files which are reported
> should actually be suid or sgid.
> If they are system files, check them with:
> rpm -Vf /name/of/file
> If they are in your or others home directories, they almost
> certainly should not be suid, especially not suid root.
> For example a file in /tmp, or in /usr/share/man should
> never be suid root.
> 6c. (Suggested by Pep <> 12-21-2001)
> When you restore your backup, check all system configuration
> files that are restored for any cracks that may have already
> been incorporated into these files.
> 6d. (Suggested by Bill Staehle <withheld on req.> 01-07-2002)
> find / \( -nouser -o -nogroup \) -exec ls -lad {} \;
> and if anything turns up, determine _why_ the user and/or
> group is not in /etc/passwd and/or /etc/group. Who _really_
> owns those files/directories? What are they?
> 7. WHILE OFFLINE install all the patches.
> 8. Create your own, unique hidden directory and 'cp' files to it
> that are essential to system maintenance like 'ls', 'netstat',
> 'route', 'ifconfig', 'ps', etc.
> (Should you be cracked again, God forbid, as long as you don't
> have a compromised kernel this will allow you to use these copies
> to "see" what a cracker may have done.)
> 8a. (Suggested by Andreas Braeutigam <> 02-26-02)
> I'd rather store those copies on a separate system or a
> non-writeable medium. [like a CD-R, floppy diskette with
> write protect on, etc.]
> 8b. (Suggested by Pep <> 12-21-2001)
> Check your final installation to see that all known security
> bugs have been addressed. There are various utilities that
> you can get to help with this, such as port scanners; etc.
> 8c. (Suggested by Pep <> 12-21-2001)
> Install some of the security monitors that exist out there.
> I can't give you the names of all of these but there are
> monitors like portsentry that constantly scan for connections
> to your system, also there are other utilities that
> constantly check your system logs and ones that constantly
> check the system configuration files for any modifications of
> content and/or permissions.
> 8d. (Suggested by Bill Staehle <withheld on req.> 01-01-2002)
> [It] would be better if the program files you put into that
> hidden directory are statically compiled, and not using the
> possibly corrupted dynamic libraries. It also assumes that
> the kernel doesn't get messed with. _At this time_ these
> concerns are not big, but why not stay ahead?
> 8e. (Suggested by James Knott <> 01-02-02)
> Mount as much of your filesystem as possible as read only. If
> the crackers can't write to a partition, they can't change
> it. Rename and hide su etc. [as suggested in 8].
> 9. Then, and only then, set the box up to get online.
> 10. (Suggested by Pep <> 12-21-2001)
> Finally, design and implement a regular backup procedure,
> something you should already have done, so that you can limit
> any future problems you might have with your system, whether from
> cracking; bad configuration; system failure or simply bad users.
> 10a. (Suggested by Bill Staehle <withheld on req.> 01-01-2002)
> [For further security] you could have another system sitting
> off a separate network, that randomly grabs a file off of
> this box, and does a file comparison externally. If that
> other system is not accepting ANY connections from ANYWHERE,
> it makes a better intrusion detection system.
> What if you have only one machine with one OS installed? You still
> need to disconnect, backup and reinstall. To get the patches ask a
> friend or acquaintance with a secured system to help download the
> patches. Or see if your OS vendor offers the current patches on CD.
> If so, order it.
> For further reference see the FAQ:
> Finally, if all this is too much for you to handle alone consider
> hiring an expert to assist you or to do it for you. However, be aware
> hiring a consultant that is able to help will probably *not* be
> inexpensive. For Linux and UNIX consultants in your area check These:
> ("-" Suggested by Bill Staehle <withheld on req.> 01-07-2002)
> -
> -
> -
> -
> -
> -
> -Those are anonymous FTP servers. Log in as anonymous, with your
> -email address as password, and change to the indicated directory.
> -Look for the file "MIRRORS" to find a list of other servers that
> -may be more accessabhle to you. Then continue down from this
> -directory to ./docs/linux-doc-project/linux-consultants-guide/
> -and get one of the versions of the Consultants-Guide:
> -
> -Consultants-Guide.html.tar.gz
> -Consultants-Guide.pdf
> -Consultants-Guide.sgml.gz
> -Consultants-Guide.txt
> Certified or Authorized resellers and/or consultants will be the
> ones most likely to be able to assist you. Those well versed in
> Linux and/or UNIX are usually capable of handling the "lesser OS's"
> as well.
> Finally, NEVER use the word "hacking" to describe "cracking" as there
> is a significant difference between a "cracker" and a "hacker". See:
> Most of all Good Luck!
> Gene <>
> Caldera Authorized Partner - OpenServer 5+, UnixWare 7+ & OpenLinux
> --
> Owner and C.E.O. - ERA Computer Consulting - Jackson, TN USA .
> OS/2, UnixWare, OpenServer & Linux Business Computing Solutions .
> Please visit our www pages at .
> We run IBM OS/2 v.4.00, Revision 9.036
> Sysinfo: 44 Processes, 178 Threads, uptime is 11d 23h 41m 25s 301ms

Relevant Pages

  • Re: fedora-list Digest, Vol 4, Issue 259
    ... > One issue I am having involves the ggz installation. ... There could be lots of reasons for a Linux box not to boot into ... > not a Fedora issue, it's a 2.6 issue which SuSE and Mandrake also has. ... > Can a Linux machine route tcp/ip data from a modem link to a local net ...
  • Re: Improvement in Freeview tuning functionality
    ... difficult in Windows too, of course, but, as my post and the following ... Sorry, but are you claiming that with all linux distros, etc, it isn't ... support to a limited number of models, ... The second method is to take all the installation mechanisms of the OS ...
  • Re: Finding installed package files
    ... >> package, and to have easy access to those files, especially the ones ... >> this as being helpful to Linux users, ... >> Linux could be made easier by having installation programs actually ... be searching for the executable and its command line for invoking the IDE, ...
  • Re: Just Got Back From NAMM. Why so little Linux?
    ... Just a little diversion back to the original topic, and an observation about me, and Linux. ... installing my familiar mail client and web browser (Firefox), ... The trick of copying the contents of an existing profile ... folder into the new profile folder that gets installed with a new installation didn't work. ...
  • Re: WARNING to potential LINUX users
    ... Markzoom has a posting history of less then 10 articles on Linux or any ... of his first experience with SuSE Linux. ... years only 5 posts were worthy of a real answer. ... >>attempted installation of SuSE. ...