VanLUG Email Archive
Traduisez - Übersetzen - Traduzca - Traduza - Tradurre - Translate
Efren Tello (etello@NOSPAMteraspan.com)
Fri, 16 Mar 2001 11:22:23 -0800
> Hi There,
>
> I have a RedHat Linux 6.0 (2.2.16-3) box at home, and I use 'IPCHAINS' to
> setup the firewall. Recently, I find that I can't use 'ps -fe' command on
> my machine (not really doesn't work, but only display my shell process and
> the getty processes). But I still can use 'ps -aux'.
>
In the future try to check regularly the security advisories (specially for
kernel) as 2.2.16-3 has some known security issues
> Until yesterday, I found that I couldn't logon to my computer in text
mode.
> I tried to login using other users including root, it just returned
> 'incorrect login'. I rebooted the machine, but still didn't help. When I
> switched to GUI mode, I could login to my machine. I found that there two
> users more in the passwd and shadow files. I deleted the two users (one
is
> 'b' and the other one is 'bb') from these files and rebooted, but still
> didn't help ( I still couldn't login in text mode). This morning, I tried
> to login (in GUI mode), it just gave me a 'blue' screen, I knew that I can
> login, but couldn't startup enlightenment.
>
The passwords are being validated the same way console or GUI mode, if you
found users in your system and you didn't put them there/were informed of an
authorized sysadmin put it there, definitely your system has been
compromised.
By running ps probably you are just making it worst as the crackers (most
times) replace ps (amongst other programs) with their own "personal" version
> Is my computer was hack? Can anybody help me to fix it? Once fixed, how I
> can protect my computer. I haven't install ssh (sometimes I telnet from
> remote site) on my machine, should I install it? Does RedHat has a ssh
RPM?
>
> Many thanks,
>
Here you have some hints:
Disconnect your computer from the network (Internet)
Backup all important (non binary/executable) files
Check for log files, logging daemons and file with CRC (you can compare with
a new/fresh installed system)
Most importantly:
NEVER NEVER NEVER USE TELNET OR FTP TO ACCESS YOUR SYSTEM REMOTELY AS
PASSWORDS ARE SENT IN PLAIN TEXT, not even ssh1, grab the latest
OPENSSHxxx.RPM from RedHat and use SSH2 (instead of Telnet) and SFTP
(instead of Ftp)
If possible keep a copy of your root filesystem as it can be used as
evidence against the intruders in court or reporting the incident to the
police or security specialized groups.
Many times the easiest (and fastest but frustrating though) solution is to
backup your data, rebuild the machine from scratch and this time secure it
properly, if you have the time and want to learn lots of interesting thing I
would recommend you Bob Toxen's book:
http://www.amazon.com/exec/obidos/ASIN/0130281875/qid=984769734/sr=1-1/ref=s
c_b_2/107-2006410-5042927
It helped me a lot once I had a Web server cracked via WU_FTPD (don't use it
anymore) vulnerabilities
Once your computer is fixed my suggestions are:
- Remove from your system all the services/packages you don't need/use
- Check security advisories/updates regularly (I do daily)
- Subscribe to the relevant mailing lists (CERT, REDHAT Security, etc.)
- Check your logs regularly or automate log checking with e-mail/pager
results when anormal stuff is found
Remember security is mainly dependant on the sysadmin precautions/attention,
ipchains or iptables, Linux or not Linux
Good luck
>
> Derek
-- This message came to you via the Vancouver Linux Users Group mailing list. For unsubscription instructions do not email the list, but rather send mail to <vanlug-request@gweep.bc.ca>.
This archive was generated by hypermail 2.0b3 on Tue 03 Jul 2001 - 19:14:48