Re: My Linux server got hacked last night -- please help!

From: Bill Unruh (unruh_at_string.physics.ubc.ca)
Date: 11/30/04 

Date: 30 Nov 2004 02:00:16 GMT

dagon@dagon.net (Mark Rafn) writes:

]sarah chang <sarahd00d@yahoo.co.uk> wrote:
]>It looks as though my Linux server (running RedHat Fedora Core 3) was
]>hacked last night.

]Unfortunate.

]>The following is in my /var/log/secure from last night:
]>Nov 29 04:55:02 andromeda sshd[32300]: Invalid user admin from
]>::ffff:210.212.85.11

]No way to tell if this was pre- or post- breakin, or just part of a script to
]gain access, which failed (but then some other part succeeded). Look at all
]logs for suspicious things, ESPECIALLY for programs or services you haven't
]updated recently.

]>I'd appreciate any advice on
]>1) How to cleanse my system

]Format and reinstall from clean media. It's the only way to be sure.

]>2) How to avoid this type of attack in future.

]Keep software up-to-date, use a hardware firewall, turn off services you don't
]need, make sure passwords are resistant to guessing.

]>Right now I've powered off the server. I'll reboot using a RedHat
]>install CD in rescue mode. Does anyone know how to force RedHat to
]>reinstall all packages without repartitioning my hard drive?

]You want to reformat the drive. Reinstalling all packages will not remove
]backdoors which do not conflict with any package. Use the rescue CD to get
]any data files saved, then nuke it.

No No. You have to burn the whole computer and any CDs DVDs that were in
the house at the time. Even if it was only a Cinderella DVD, you never
know. No sense in not being careful.

Buy a new computer and start again.

A backdoor is only a backdoor if it can be opened from outside.

Quantcast