When you're hacked, the best thing to do is wipe the disks and restore from backups.
Now, if you have a system that's not patched, that system can be hacked in moments. When bringing a server up for the first time, or after an extended disconnection, it's best to update all the packages before connecting to the wild. The other best thing to do is shutdown all but the necessary services. Make sure that all passwords are "good", and that all default passwords have been changed. Use Iptables/Ipchains religiously for both incoming and outgoing connections. A server that hasn't been connected in a year most likely has a distribution on it that is no longer being updated. If you're going to be using a system infrequently, or over a long period of time, pick a distribution that is likely to stick around for a while, like Debian, or CentOS, or one of the commercial distros, like RHEL or SuSE. They have slower release cycles and longer maintenance windows than other popular distributions. On Tue, 22 Feb 2005 21:43:20 EST, cate serino <[EMAIL PROTECTED]> wrote: > Hi, > > After only having my server up for a few hours and to a state that I > thought was fairly secure, I got hacked with what I think is a man in the > middle attack. Other than turning off ports (telnet, ect.), changing > root passwords, and editing the hosts.allow and hosts.deny files, what > can I do to secure my server. I noticed that he/she was able to run > ipchains and filter through his/her ip. In addition, the he/she was able > to mount a filesystem on my machine. I have flushed the ipchains and > unmounted the filesystem. Am I missing anything? I have not had my > server up for a year. Has the Internet become that bad in one year? > > Many thanks, > > Cate Serino > > -- > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > TriLUG Organizational FAQ : http://trilug.org/faq/ > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ > TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc > -- Joseph Tate Personal e-mail: jtate AT dragonstrider DOT com Web: http://www.dragonstrider.com -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
