There are a number of things you should do.
1) Find out what has changed on the machine. Use 'rpm -V' against all
packages and see what was modified. If they had root access, it is likely
they changed some system utils to add a backdoor.
2) Look for any other signs of backdoors. Reinstall the package with
netstat (a lot of rootkits replace netstat) and do 'netstat -a' to look
for odd ports open; be sure you know what ports are open and why.
3) Reinstall the package with ps. Look at ps output and see if there are
any unusual processes running.
4) Review inetd.conf. Some rootkit exploits add new lines for new
services which are really backdoors. One common one is to have a service
that launches bash - as root of course.
5) Look for odd things; one way I have seen backdoors and pieces hidden is
to create 'hidden' directories - esp. popular in /dev. Here are a couple
of commands:
find / -name '. ' -print
find /dev -type f -o -type d -print
6) Secure telnet by limiting access. The default with RH is to install
the TCP wrapper tcpd for telnet and ftp but the rules are empty. Add
rules to hosts.allow and hosts.deny (see man pages for those two files).
7) Review CERT warning against what is running on your machine. You need
to find how they entered and close if off. Look at warnings about
wu-ftpd, rpc.statd, and BIND - these have been the popular attack points
this year.
8) Shutdown all unnecessary services.
9) Install and run portsentry to close off access to anyone who does a
port scan. Most attackers find victims by scanning. Look at
freshmeat.net for the package.
Good luck,
- rick warner
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
