Quoting [EMAIL PROTECTED] ([EMAIL PROTECTED]): > What should I do now?
That's the bad news: You need to rebuild. Most important priorities: 1. Safeguard data. 2. Shut out the intruders. Then: 3. Keep them from coming back. 4. Notify appropriate persons, if any. The process of doing this is painful, so many admins try going halfway. That is almost always a bad idea, because the bad guys leave backdoor ways of getting back in, and you probably won't find them all (and, when they return, are often vindictive). The point is that you don't want to have to go through this pain _twice_, because you weren't careful enough the first time -- nor do you want your system wiped. No executables or configuration files on the machine can be trusted and should be assumed unusable. This includes /bin, /sbin, /usr/bin, /usr/sbin, /usr/X11R6/bin, /lib, /usr/lib, /etc, crontabs, ~/bin, and so on. At the moment, you are not in control of the machine, and can't predict when it might auto-erase or start attacking other sites elsewhere. Therefore, many would recommend flipping the AC power off, as your first step -- without an orderly shutdown. Now, without running _any_ code on the system's hard drive, bring up some other maintenance-type Linux system that can mount the server's partitions (e.g., a second hard drive, a maintenance floppy, an LNX-BBC CDR disk, etc.). Make at least one complete data backup of the server's files. Remove those backups and put them somewhere else for safekeeping. Read this thoroughly: http://www.cert.org/tech_tips/root_compromise.html Now, build a new Linux installation while on a private network, using no executables or configuration files from the old machine. Copy over the old machine's data files. Manually edit /etc/* to recreate the old machine's configuration, referring to the old configuration files but not trusting them. Make sure you examine users' home directories and remove any executables stored there. Recreate all user accounts, issuing all users without exception new passwords, but with their login temporarily disabled pending rebuild completion. Apply all needed security updates to your distribution. Look carefully at publicly accessible services, to ensure that none are enabled that you don't need, and that all remaining ones satisfy your local security policy. Consider installing logcheck and tripwire. Review your system configuration. Probe your machine using nmap. Connect your new server to the network. Probe the machine and nearby hosts again using nmap. Inform your users of their new passwords in person or via telephone, only (never e-mail). Sternly warn them that they must never re-adopt their former passwords -- if you trust them that far. If you don't, disable users' ability to change passwords. Enable user login. And re-read http://www.cert.org/tech_tips/root_compromise.html , just to make sure you didn't miss anything. -- Cheers, Rick Moen "vi is my shepherd; I shall not font." [EMAIL PROTECTED] -- Psalm 0.1 beta _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
