Hello, I'm not completely sure that I am hearing you right, so please bear with me if I miss the mark on this one.
Is it just a web server? If so, it might be worth looking into mod_security. As well, I would make sure that it has a firewall setup (maybe iptables or ipchains). These two should provide some sound mechanisms for recording connections to the site as well as denying some known attacks. You should be able to find pre-built configurations for these as well. Something else you might want to do is head on over to: http://www.securityfocus.com/vulnerabilities With that site, you can look for software that is on your server that may be vulnerable. With post-intrusion analysis, something to look for may be files owned by the user that the web server is running as (or whatever other services are running). A lot of times /tmp is a default place to go for script kiddies, simply because it is a world writeable directory. If you do find executables in there, you can usually run the command "strings" on them and then search google for the miscellanious strings you find. This will often identify the exploit they used in the form of source code. I have used this approach to identify many things about an intruder in the past, it actually works pretty well. I'm not sure that rkhunter or chkrootkit will help much considering they function best if they were installed before the intrusion, but they may still be able to provide you with info. On redhat, I seem to remember there being a way to check file integrity using the rpm tools. Unfortunately, I don't remember since I haven't touched redhat since I landed on gentoo. ;-) If they haven't been able to cover their tracks, you may find an IP address somewhere that connected to your box. You may want to do lookups using dig, nslookup, whois, or whatever tools you have available. You should be able to identify the ISP, if not the exact company with the offending box. As well, you may use grep on /var/log and usually find other ways they tried to get in (this is usually a sign of a targeted attack as opposed to just an automated attack that discovered your redhat box). Another fun place to use an IP you have discovered is on this site: http://www.dshield.org I hope this helps, I wanted to provide more rather than less as incidents can get pretty sticky with politics and pointy fingers. Good luck, and happy hunting! Robert Larson On Friday 20 January 2006 08:30 am, Jean Blignaut wrote: > Got feedback from the firewall guy: > According to his snort logs the ip I was told did the portscan was not > infatc the culprit, the reverse lookup domain name for that ip is > responsible but at this stage it still has an old ip pointing to an old > redhat 7 box that's over due for retirement but still has a few > straggling websites (old big and buggy - one in particular is written in > old perl cgi scripts) It seems my problem might just be bigger than I > thought any ideas on how I might secure a red hat 7 box (muhahahaha) > -- [email protected] mailing list
