On Fri, Jul 21, 2000 at 11:45:19AM +1000, [EMAIL PROTECTED] wrote:
> I'm not using ftp to provide anything, merely to acquire.
> both wu-ftpd and proftpd (?ftp providers?) are on my machine, but
> to my knowledge I have not used them for anything. I use 'WebDownloader for X
> 1.16' to download files. I don't know if this is a frontend for one of the above
> programs, or if it is self-sufficient with it's own security issues to bear in
> mind.
> Using the find command below turned up nothing that I thought looked
> particularly suspect, but then I don't know what exactly I'm looking for in
> the data that it produced (would it be unwise to post the output of this onto
> the list?).
> similarly there is nothing that looks out of the ordinary in my passwd file.
> I'm not sure where else to look, for what. I guess there's only so much I can
> do at this stage.
> BTW, I have no use for 'news' how would I disable this, which gains su status
> twice a day, although I have not configured it at all?
Start out with the following command:
netstat -a | grep LISTEN
Assuming you haven't been totally compromised and a root kit
installed on your system, this should tell you all the the service ports
with are being listened on. In other words, it will tell you what services
you are offering to the network whether you intended to or not.
Once you have that, then you can begin to track them down and shot
them. One place to look for services is /etc/inetd.conf. Edit that file
and disable (comment out) any services you do not want to be offering to
the network. If the ftp line is not commented out, that means that other
people can connect to YOUR system and use ftp to access it. Disabling the
server at your end will have no effect on your ability to connect to other
systems using ftp. Once you have made changes to /etc/inetd.conf, save
the file and issue the command "killall -1 inetd". (You have to be root
to do these things, BTW).
If you have no use for news, why did you install it?
Run the command:
"rpm -qa | grep inn"
If anything comes up, run the command:
"rpm -e $name_of_package"
Replace $name_of_package with the name you get from the first command.
Note: If you have been totally compromised, you may have to just
start over from scratch and reinstall. Chances are good that the attacker
will leave a root kit on your system which replaces several system utilities
that then hide his tracks. If he is into you that deep, it's really
difficult to dig him back out.
You can also use rpm (assuming you are on an rpm based system)
to verify all the package files. Some of us copy our rpm databases off
to read-only media and do verification from a known good boot, but that
requires that you had thought to set up the secure boot and the off-line
rpm database before hand.
> takcq, so much.
> d.
>
> On 20-Jul-00 [EMAIL PROTECTED] wrote:
> > What version of ftp are you using wu-ftpd or proftpd or the BSD ftpd?
> > Recently I remember that a vulnerablility was found in wu-ftpd that could
> > allow a remote user to gain root priviledges another was also found in
> > proftpd. Also remember that if you were cracked, and the user gained root
There have been several holes found in almost all of the recent
ftp servers. You need to be really up on the security updates if you are
offering an ftp service!
> > priviledges, then he could have cleared your log files of any
> > incriminating evidence. Try to find if there are any suid and sgid scripts
> > left on your machine in case the cracker left a back door also look
> > through your passwd file for any uid 0 accounts don't search for strings
> > like :0: because he can always use :000: this is really surface because a
> > good cracker would not use such obvious methods. to search for suid and
> > sgid scripts use
> > find / -type f \( -perm -2000 -o -perm -4000 \) -print
> >
> > Noah
> > [EMAIL PROTECTED]
> __________________________________________________
> Do You Yahoo!?
> Talk to your friends online with Yahoo! Messenger.
> http://im.yahoo.com
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
(The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to [EMAIL PROTECTED]
Please read the FAQ at http://www.linux-learn.org/faqs
