Re: changing root password with Knoppix?
- From: "news@xxxxxxxxxxxxxx" <news@xxxxxxxxxxxxxx>
- Date: 18 Apr 2006 15:39:30 -0700
Colin McKinnon wrote:
news@xxxxxxxxxxxxxx wrote:
I recently just had a FC2 box hacked.
Unfortunately we simply can't take it offline at the moment
OK so far.
because we
have outside people needing to use files on it.
erm, no.
While the crackper appeared to simply install a spam relay (didn't even
delete the bash_history or anything,)
You obviously don't KNOW that's all the cracker did. Take some time to think
about why not.
I don't want to take any chances
and need to change passwords on it, hoping he doesn't have bash storing
information.
Ah, hope, yes I forgot about that reliable method of ensuring security - you
might try prayers and/or sacrifice too.
It was recommended I use Knoppix to change the root password. I found a<snip>
thread where Lew P. instructed someone how to delete the root password:
But, when I boot back up with the system, IF bash IS being logged, when
I change the root password won't it be logged?
That's the least of your worries - apart from anything else - this tutorial
isn't going to work on your machine.
Like that?
(LOL I love this from the badblocks man: "This can be overriden using
the -f flag, but should almost never be used --- if you think you're
smarter than the bad-blocks program, you almost certainly
aren't.")
(I'm sooooooo tempted....)
Let's try again.
You WILL backup ONLY the files you MUST keep from this server.
You WILL check them for executable content.
You WILL reformat the hard disk and reinstall from distribution media
You WILL install all vendor patches before running any services (preferably
before plugging it into the internet)
You WILL install an IDS to ensure that you can recover next time
You WILL learn how to use it
You may now restore the files you carried over from the previous life of the
box.
You WILL keep your security procedures under regular monitoring and review.
How'bout this:
You WILL not assume that I WASN'T planning on only backing up what we
must keep.
You WILL realize that you do not know that we are overnighting new HD's
from Newegg to put into a new machine that is going to be replacing the
old, compromised one.
You WILL not assume that I won't install the patches, or that I wasn't
before by running nightly "yum" updates (FedoraCore) or be subscribed
to the Slackware lists alerting me of new patches with the new server
(that will, to be redundant, be running Slackware.)
You WILL not assume that I don't already have a separate IP-Cop serving
as an IDS box, and that the compromised system was in the DMZ as it was
being used as a Web server and thus was required to have SOME
compromiseable access to the Internet.
See my reply to the other rather rude, assuptive, and elitest responder
for information as to why we're taking the chance with keeping the
system up for another cpl days, and tedious information regarding
getting new hardware which implies our copying only necessary data onto
a rebuilt system, and reinforcement of my knowledge that I'm NOT
certain that's all that was done to the system, but am mostly sure
based on evidence.
The fact I'm not possitive is evidenced in the fact that I'm completely
rebuilding the system.
Thank you.
(Wow, it's funny. I thought the Slackware people over in that newsgroup
would be pricks, but they've turned out to be extremely helpful,
respectful, great people. Why is it over here I get slammed by elitest
jerks who evidently were born with all knowledge and never had to learn
anything themselves through experience or "the hard way" and so cut no
slack. Weird.)
.
- Prev by Date: Re: openssl rsa encryption problem
- Next by Date: Need vsftpd with ssl support!
- Previous by thread: openssl rsa encryption problem
- Next by thread: Need vsftpd with ssl support!
- Index(es):
Relevant Pages
|
