Spring. They've now got it reduced to a canned package that any scriptkiddy can
run - wonderful! (or, in C parlance, !wonderful ? :-)
Seriously, once the system has been compromised you are almost certainly
forced
to reinstall from trusted media (there are exceptions, but if you know
enough to
qualify you'd (a) know it and (b) probably remain unhacked).
Two pieces of advice, to prepare for reinstallation:
1) Obtain, read, and follow the advice in Maximum Linux Security
by Anonymous,
published by Sams, ISBN 0-672-31670-6 (yep, that's from the copy at
my elbow right now).
2) Obtain and use tripwire. Details are in the book, other references include <http://www.ja.net/CERT/Software/tripwire/Tripwire.PS> and <http://www.tripwiresecurity.com/>. Tripwire is a system integrity checker, which provides some means of testing for intrusion and system compromises. Run it to get a baseline before putting the reinstalled system on the net, save the baseline on read-only media, re-run tripwire regularly and compare to the saved baseline to detect possible future intrusions.
Good luck!
--Bruce McCulley
Tom Laurie wrote:
I just heard how hackers were focusing on cable systems by placing "Zombie" programs on the computers behind the cable. If you got one of these placed on your system you wouldn't notice it, but your computer could be used to go out and hack other computers. It is also virtually impossible to trace the Zombie program back to the originator.I've helped a little with other gnhlug members to set up Concord Christian's Linux box connected to their Mediaone cable running IPChains. They got a call from ATT Broadband yesterday saying that their computer was being used to hack into other computers and sure enough, when you reboot their server it says Zombie at some point.Does anyone know how to clean the Zombie off of their server?Once it is off, how can I protect against it ?Tom Laurie
NH Office of Emergency Management
Systems Manager
603 223-3617
