Security Incidents mailing list archives
Re: Compromised...
From: jlewis () LEWIS ORG (Jon Lewis)
Date: Mon, 7 Feb 2000 23:15:05 -0500
On Mon, 7 Feb 2000, Steve Logan wrote:
Has anyone else experienced this? How did they get in? At this point I'm pretty sure it was through named. How should I go about cleaning it up? Right now I think I'll just reinstall the RPM's off of the cd. Will this be enough (along with upgrading BIND)? If anyone could share any useful information please do so.
What rock do you live under? Named holes have been a frequent topic both here and on bugtraq. Assuming you're running Red Hat Linux (because you mentioned rpms), you really need to keep up with Red Hat's security updates or this will happen again. Unless you have tripwire (no, you can't rely on the on-line rpm database's md5 sigs), you probably have to just reinstall and start over. Another possibility if that's not appealing is if you have a backup that you know was done before the break-in, you could restore that to a blank disk and do the following: Compare the output of ls -laR / on each version of the system. Look especially for new files/directories that don't belong. Compare checksums or md5sums of all files between each version of the system. Any binaries, libraries, or config files that have changed need to be closely examined and possibly replaced. Obviously, you need to fix whatever it was that let them in as well. ---------------------------------------------------------------------- Jon Lewis *jlewis () lewis org*| Spammers will be winnuked or System Administrator | nestea'd...whatever it takes Atlantic Net | to get the job done. _________http://www.lewis.org/~jlewis/pgp for PGP public key__________
Current thread:
- Compromised..., (continued)
- Compromised... Steve Logan (Feb 07)
- Re: Compromised... David Bernick (Feb 07)
- Re: Compromised... Japheth (Feb 07)
- Re: Compromised... Simon Britnell (Feb 08)
- Re: Compromised... technot (Feb 09)
- Re: Compromised... Sebastian (Feb 09)
- Prank phone calls related to recent break-ins? Nate Carlson (Feb 09)
- Question about event log events JF Prieur (Feb 08)
- Re: Compromised... Jose Nazario (Feb 07)
- Re: Compromised... Jim Kinney (Feb 07)
- Re: Compromised... Jon Lewis (Feb 07)
- Re: Compromised... Joshua Krage (Feb 08)
- Re: Compromised... Rich Burroughs (Feb 09)
- Re: Compromised... Lane Davis (Feb 07)
- Re: Compromised... Marianovich Felix (Feb 08)
- Re: Compromised... Sebastian (Feb 08)
- 195.0.0.0/8 Scan Source amused () POBOX COM (Feb 10)
- hacked Anton (Feb 14)
- Re: Compromised... Stephen J. Friedl (Feb 14)
- Re: Compromised... Derek Vadala (Feb 14)
- Re: Compromised... Alexandru Popa (Feb 14)
