does it mean that the usual crack has been applied my machine, to screw it up?
Arvind ----- Original Message ----- From: "Devdas Bhagat" <[EMAIL PROTECTED]> To: "Linux India" <[EMAIL PROTECTED]> Sent: Friday, May 03, 2002 3:27 PM Subject: Re: [LIH] could i have been hacked? > On 03/05/02 14:04 +0530, Arvind wrote: > > i never opened all these services......... but i see them all with an nmap > > what do i do? > <snip> > Oh, the usual. > Rebuild the machine from scratch. > > Steps: > If you want to do forensics(I think its a bit late for that by now), you > will want to make clean backups of your system. > Get another two hard disks (one of them must be of the same size and > make as your current HD), and one machine. > Install a statically linked md5sum binary on the compromised machine. > Install a statically linked known clean netcat on the compromised > machine, and on one of the hard disks (if they are different, the one > that is not the same size), dump a copy of your memory, and proc. > compromised:dd|nc > clean:nc|dd . This HD must be in the second machine > > Make the other hard disk clean (dd if=/dev/zero of=/dev/hdb where the > second disk is connected as hdb). > Ensure that the checksum is zero. > dd the hard disk over to the clean disk. Verify the md5sum of the > original and copy. These must be same. > > Lock, seal and store for forensics. > > Rebuilding the compromised box: > Disconnect the box from the network. > Backup your data. > Partition, format and reinstall. Install only the binaries you > need. Nothing else. Strip the install down to its minimum. > Download all patches to a second box. > Make a network of only these two boxen. > Patch the system to the full. > Install tripwire, and generate the signature database. > Move the database to offline readonly media. > Setup a firewall. > Retest for open ports. > Check all install binaries, make sure that there is nothing that > you don't want to run installed. > Remove suid bits from everything that doesn't need it. > (login and passwd do, ssh doesn't). > Restore data from backup. > Connect to the normal network. > > Devdas Bhagat > > _______________________________________________________________ > > Have big pipes? SourceForge.net is looking for download mirrors. We supply > the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] > _______________________________________________ > linux-india-help mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/linux-india-help _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] _______________________________________________ linux-india-help mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/linux-india-help
