On Sat, Jun 23, 2001 at 09:33:13AM -0400, Greg wrote:
> Within 20 minutes of it being on the WAN i noticed I got a hit to my ftp
> server (which I hadnt shutdown yet) so i promptly changed a bunch of
[SNIP]
> "var/log/messages" not a file. What the hell happened to my computer?
[SNIP]
> And problem number two, I want to set this machine up as a gateway and I
> cant get it to recognize my second card. The card is a tulip based
The solution to both of these problems is disconnect your system from
the Internet NOW and re-install. It sounds like your system has been
compromised. At a minimum, you should download ALL the security
updates from Red Hat, and apply them to your new install BEFORE you
reconnect it, if possible (i.e. from another connected system). You
also should be careful not to install any services you're not going to
use. Don't just leave them not running, leave them off the machine.
It's impossible to compromise code that isn't there...
Next, as soon as you possibly can, learn to use netfilter/iptables to
configure a firewall, and block all ports you do not explicitly
require. You're going to need to do this anyway if you want to use it
as a NAT-ing gateway, and even if you don't need to NAT, this is the
most important thing you can do to make sure your systems are secure,
other than maybe making sure you stay current with security patches
for your OS.
Also make sure you download either Red Hat's latest kernel, or the
latest from www.kernel.org -- there's a bug in netfilter that makes it
easy for a clueful attacker to open up arbitrary ports on your
firewall. This is fixed in RH's latest kernel, as well as more recent
"stock" 2.4 kernels. If you can help it, don't run ANYTHING on the
gateway machine, other than your firewall script. An old system you
have laying around is great for this purpose, or you can pick one up
at a computer show for very little money...
Next, as soon as you possibly can, go to a bookstore near you and buy
a copy of Maximum Linux Security, and read it from cover to cover.
Try to formulate a plan for better securing your Linux box (and all
the other systems on your network, if you have any) while you're
reading it. Then, follow up on your plan.
A Linux box on a cable modem will most likely be scanned in under 10
minutes from connection, and if you haven't done anything to protect
it you'll probably be compromised within a day. The default install
of ALL OS's is not secure. Linux makes a great target for bored
script kiddes because it is POWERFUL, and your cable modem makes it
FAST. That's a deadly combination that equals script-kidde hackfest.
As for your ethernet card problem, it should be detected on
re-install. If it isn't, it may not be working properly. You might
try re-seating it in its PCI slot, or try a different slot. If that
doesn't help, try swapping the card... if the new one works it's a
safe bet the other card doesn't.
Note that the ONLY way to reliably recover a compromised machine is to
wipe your system clean and re-install from known-clean media. You
have no idea what they did to your system, so you'll never know if you
found and fixed all the back doors they left behind.
Oh, and my condolences... welcome to the club.
--
---------------------------------------------------
Derek Martin | Unix/Linux geek
[EMAIL PROTECTED] | GnuPG Key ID: 0x81CFE75D
Retrieve my public key at http://pgp.mit.edu
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
