Security Incidents mailing list archives

Re: Compromised...


From: jlewis () LEWIS ORG (Jon Lewis)
Date: Mon, 7 Feb 2000 23:15:05 -0500


On Mon, 7 Feb 2000, Steve Logan wrote:

Has anyone else experienced this?  How did they get in?  At this point I'm
pretty sure it was through named.  How should I go about cleaning it up?
Right now I think I'll just reinstall the RPM's off of the cd.  Will this
be enough (along with upgrading BIND)?  If anyone could share any useful
information please do so.

What rock do you live under?  Named holes have been a frequent topic both
here and on bugtraq.  Assuming you're running Red Hat Linux (because you
mentioned rpms), you really need to keep up with Red Hat's security
updates or this will happen again.

Unless you have tripwire (no, you can't rely on the on-line rpm
database's md5 sigs), you probably have to just reinstall and start
over.  Another possibility if that's not appealing is if you have a backup
that you know was done before the break-in, you could restore that to a
blank disk and do the following:

Compare the output of ls -laR / on each version of the system.  Look
especially for new files/directories that don't belong.

Compare checksums or md5sums of all files between each version of the
system.  Any binaries, libraries, or config files that have changed need
to be closely examined and possibly replaced.

Obviously, you need to fix whatever it was that let them in as well.

----------------------------------------------------------------------
 Jon Lewis *jlewis () lewis org*|  Spammers will be winnuked or
 System Administrator        |  nestea'd...whatever it takes
 Atlantic Net                |  to get the job done.
_________http://www.lewis.org/~jlewis/pgp for PGP public key__________


Current thread: