VanLUG Email Archive
Traduisez - Übersetzen - Traduzca - Traduza - Tradurre - Translate
Ben Holt (ben@emediastudios.com)
Fri, 16 Mar 2001 11:39:14 -0800
Hi Derek,
I can't explain why you were able to log-in via the GUI, but not in text mode,
however it _does_ sound as though your machine has been cracked. Have you
updated any of the rpm packages, or are the packages you are using original
RH6.0 packages? A number of security fixes have been made since RH6.0 was
first released (and RH7.0 for that matter!). In order to maintain your
machine's security it is important to make updates as they are released.
Updates are available from ftp://ftp.redhat.com and a number of mirror sites
such as ftp://sunsite.ualberta.ca.
ps is one of the programs commonly changed to help hide processes being run by
a cracker. A relatively easy, although not difinitive, way to check the
integrity of the packages on your machine is to run 'rpm --verify -a'. Check
'man rpm' for information about how to interpret the results. While a negative
response from this check does not guarantee that you have not been cracked, a
positive response is a good indication that you have been and that the cracker
has altered programs (such as ps) on your machine... although without checking
the two new user accounts all-but-confirm that you've been cracked anyway.
I am by no means a security expert, but hopefully this helps. I'm sure others
on the list can provide you with better information. Where you are likely to
run into difficulty is in cleaning up your machine so that it is in a state
where you can be certain that there aren't any back-doors that could have been
installed by the cracker. It may be easier to simply format the drive(s) and
re-install from scratch and then update all relevant packages.
BTW - Yes, there are RedHat RPMs for OpenSSH. My own personal experience with
OpenSSH has been that it is still not fully compatible with the commercial
version. If you are using the machine for non-commercial use I would suggest
that you grab the source for the commercial version (which can be used for free
for non-commercial use) from ftp://ftp.ssh.net and install it. Despite having
to compile it yourself it is a painless process ('./configure; make;
make_install' should do the trick). Much, much better than using telnet for
remote access.
Good luck.
- Ben
> Is my computer was hack? Can anybody help me to fix it? Once fixed, how I
> can protect my computer. I haven't install ssh (sometimes I telnet from
> remote site) on my machine, should I install it? Does RedHat has a ssh RPM?
-- This message came to you via the Vancouver Linux Users Group mailing list. For unsubscription instructions do not email the list, but rather send mail to <vanlug-request@gweep.bc.ca>.
This archive was generated by hypermail 2.0b3 on Tue 03 Jul 2001 - 19:14:48