Re: My Linux server got hacked last night -- please help!

From: Mark Rafn (dagon_at_dagon.net)
Date: 11/29/04 

Date: Mon, 29 Nov 2004 13:14:02 -0800

sarah chang <sarahd00d@yahoo.co.uk> wrote:
>It looks as though my Linux server (running RedHat Fedora Core 3) was
>hacked last night.

Unfortunate.

>The following is in my /var/log/secure from last night:
>Nov 29 04:55:02 andromeda sshd[32300]: Invalid user admin from
>::ffff:210.212.85.11

No way to tell if this was pre- or post- breakin, or just part of a script to
gain access, which failed (but then some other part succeeded). Look at all
logs for suspicious things, ESPECIALLY for programs or services you haven't
updated recently.

>I'd appreciate any advice on
>1) How to cleanse my system

Format and reinstall from clean media. It's the only way to be sure.

>2) How to avoid this type of attack in future.

Keep software up-to-date, use a hardware firewall, turn off services you don't
need, make sure passwords are resistant to guessing.

>Right now I've powered off the server. I'll reboot using a RedHat
>install CD in rescue mode. Does anyone know how to force RedHat to
>reinstall all packages without repartitioning my hard drive?

You want to reformat the drive. Reinstalling all packages will not remove
backdoors which do not conflict with any package. Use the rescue CD to get
any data files saved, then nuke it. 

--
Mark Rafn    dagon@dagon.net    <http://www.dagon.net/>