On Fri, 14 Sep 2001, [EMAIL PROTECTED] spewed into the ether:
> Dear friends.
>
> I think my server has been hacked. [Redhat 6.2]. While logged on to
> the server thru telnet, some time my password is flashed on the
> terminal / telnet screen or email address of the last mail which I
> send is shown in the command prompt. other wise all the other services
> are working normally [Sendmail/httpd/dns/ftp etc]. Telnet is allowed
> only for the local staff on local network. from outside only
> ssh,ftp,smtp,dns is allowed. Can u pls tell me which files/script I
> should check. How do I check if the file has been altered. date and
> time stamp of login, bash have not been changed. Pls help me come out
> of this problem
Ok, this is pretty simple to do.
Compile netcat on a clean machine and copy the binary over to the
suspect machine. dd the entire hard disk over to a new disk across the
network, including the contents of /proc and your memory, including
swap.
Ensure that the file system is correct (fdisk -l on the newer
machine. Reboot the suspect machine with a boot CD, and use rpm to
verify that the md5sums of the binaries are correct. If *all* software
is correct, then you don't have a problem.
If you had tripwire or aide or another system like that running, check
the online db with a offline database and verify the integrity of your
system.
If unclean:
Make another copy of the disk image, and md5sum the original and
copy to verify that they are the same. Then use grep on the copy to see
your logs (you will have to read raw disk data). This should give you
some clues about who broke in, when and how.
Backup your data (verify that all files are correct, then move them to
tape). Rebuild your machine from scratch, reboot into single user mode.
Bring up the ip stack, download all patches and apply the required ones.
Restore your compiled software from source, again after verifying its
integrity. Recreate users, with everyone having new passwords.
Restore the data. Install tripwire and logcheck or similar.
Setup a remote logging server. A good suggestion I have seen for this
was to send syslog to a non existent machine and have another machine
in promisc mode sniffing all the traffic to the syslog machine.
There is no need to run telnet or ftp, everyone including local staff
must run ssh and scp (or sftp). You can try setting up ssmtp, but that
may not be necessary.
Devdas Bhagat
--
Man's unique agony as a species consists in his perpetual conflict
between the desire to stand out and the need to blend in.
-- Sydney J. Harris
_______________________________________________
linux-india-help mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/linux-india-help
