Re: Being attacked but don't know how

From: Bill Unruh (unruh@string.physics.ubc.ca)
Date: 11/30/02 

From: unruh@string.physics.ubc.ca (Bill Unruh)
Date: 29 Nov 2002 23:22:34 GMT

"Jean-Francois Croteau" <croteauj@videotron.ca> writes:

]Hi everyone.
] I'm having problem with someone in my entreprise. I have some public
]station, running Red Hat 6.2. The purpose of these stations are to let the
]people have access to the internet. So I've used a restricted version of
]Gnome, letting access only to Netscape. There is only 1 command prompt, on
]the 2nd tty.

]My problem is the following : someone, and I don't know how, is playing with
]my stations. Every files under /etc, /usr, /tmp, /var, /home are there, but
]are 0 byte. And this problem is recursively. The only "normal" files are
]contain in /.

]I'm running Webmin 0.87 to let me remotly manage my stations. Anyone has a
]idea?

Well, I would say that using webmin is not a good idea. Instead use ssh
to log in and do the upkeep you need to.

a) Make sure that you have kept up to date with all the security
updates. Redhat 6.2 is a pretty old distro by now. There are many
security updates for it. you MUST apply them.
b) Make sure that all your ports ares shut down. You should not be
running anything which opens a network port.
Check in /etc/rc.d/rc?.d ( where ? is the runlevel-- 3 or 5 that you run
at-- 3 means people log on with a console login, while 5 means they use
an X type logon.)
remove most of the entries there.
(The ones with the S are theimprotant ones.
you will need network, random, sshd, rawdevices maybe, maybe sound
and/or alsa if people want touse the soundcard on the machine,
keytable, postfix IF you want them to send out mail from that machine,
(but edit the /etc/postfix/master.cf file and put a # at the beginning
of the smtp line.), numlock, internet, crond, xfs, anacron, kheade,
local.

It may of course be a local person, but I would expect someone from the
net is doing this.

]Thanx in advance

]Jean-Francois Croteau
]IBM Canada ltée