Re: psybnc - have been hacked pls help
From: Bit Twister (BitTwister@localhost.localdomain)Date: 03/29/02
- Previous message: Gary: "ssl certs"
- In reply to: Thomas S.: "psybnc - have been hacked pls help"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: BitTwister@localhost.localdomain (Bit Twister) Date: Fri, 29 Mar 2002 00:32:28 GMT
On Thu, 28 Mar 2002 20:58:45 +0100, Thomas S. wrote:
>
> Hi,
>
> i found out my linux SUSE 7.3 Server was hacked !
First, Unplug your system from the internet, Your machine is a menace to
society until you've cleaned it up. Even worse is, if it is used to crack
a bank or military site, you and your equipment gets hauled off to jail.
http://www.chkrootkit.org has a program for checking for rootkit installs.
Any time you know a box is cracked, you should:
o Pull the box off the network, you do not want the police taking
you and your equipment to jail because a cracker used it
to crack a bank or military site.
o Put the hardrive(s) into a standalone machine,
mount the disk(s) readonly,
save any data, user files, ...,
o Save a full copy of the disk(s) for your forensic attempt,
save the disk(s) for FBI forensics if it's a Big, BIG dollar loss.
o Refomat disk drives and do a fresh install from known clean
source to remove any possible back doors the cracker installed.
o Restore your saved files, verify that the restored files
do not have the suid bit set "find / -perm +6000 -ls".
o Have everyone on the box's network change passwords and
tell them that the cracker may have been running a
password sniffer so they will not use them ever again.
Any other boxes logged into from the cracked box should
have their passwords changed.
Here is why you need a clean install
http://www.linuxdoc.org/LDP/LG/issue36/kuethe.html
4'th paragraph.
Install a firewall
Get all the vendor updates to your distro.
You might want to read Armoring Linux
http://www.linuxdoc.org/HOWTO/Security-Quickstart-HOWTO/index.html
http://www.enteract.com/~lspitz/linux.html
http://www.linuxsecurity.com/docs/colsfaq.html
http://www.securityportal.com/lskb/articles/
http://www.securityportal.com/lasg/
http://www.cert.org/advisories/
For cheap install cd's
http://cart.cheapbytes.com/cgi-bin/cart
top left under Products.
For people accross the pond,
http://www.linuxemporium.co.uk
http://www.linux123.co.uk/
Never login as root unless you have to.
Always login from the console, no su, telnet, ssh,..
That way a keystroke logger in your user account cannot
catch your root login password.
You can audit your system if you are using the rpm package manager with
rpm -Va | grep '..5' > /tmp/verify.log Runs for awhile.
/tmp/verify.log will contain changes which you have made using
configuration tools
Hope crackers do not put in a rootkit which makes the rpm check obsolete.
I think this has happened, though not sure.
- Previous message: Gary: "ssl certs"
- In reply to: Thomas S.: "psybnc - have been hacked pls help"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
