rootkit?
John Summerfied
debian at herakles.homelinux.org
Wed Dec 14 06:54:04 UTC 2005
Craig White wrote:
>>>Sounds like a guessed password then. Regardless, the best thing to do
>>>is to rebuild from scratch and then set strong passwords on all
>>>accounts. That is the only way to be sure the system is really back
>>>under your control.
setting users' shells to /bin/false can help too. Ask can use of
tcpwrappers, both to control where acceptable connexions come from (if
you're not from _my_ area you can't get connected long enough to discuss
authentication) and to alert to attempts:
www:~# tail /etc/hosts.{allow,deny}
==> /etc/hosts.allow <==
#
# Example: ALL: LOCAL @some_netgroup
# ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
#
# If you're going to protect the portmapper use the name "portmap" for the
# daemon name. Remember that you can only use the keyword "ALL" and IP
# addresses (NOT host or domain names) for the portmapper. See portmap(8)
# and /usr/doc/portmap/portmapper.txt.gz for further information.
#
sshd: 192.168. 203.34. 220.235. 203.59. 203.55. 203.33. 202.72.
==> /etc/hosts.deny <==
# The PARANOID wildcard matches any host whose name does not match its
# address. You may wish to enable this to ensure any programs that don't
# validate looked up hostnames still leave understandable logs. In past
# versions of Debian this has been the default.
# ALL: PARANOID
sshd: ALL
false: ALL: spawn ((echo attack from %h;id -a) | \
/usr/bin/mail -s %d-%h root) &
www:~# cat /etc/xinetd.d/telnet
# default: off
# description: An internal xinetd service which gets the current system time
# then prints it out in a format like this: "Wed Nov 13 22:30:27 EST 2002".
# This is the tcp version.
service telnet
{
disable = no
socket_type = stream
protocol = tcp
user = games
wait = no
flags = NAMEINARGS
server = /usr/sbin/tcpd
server_args = /bin/false
}
www:~#
Read docs and/or try it out if you don't understand it.
>>>
>>
>>Isn't rebuilding a little extreme? If the cracker got into an
>>unpriviledged user's account and no further isn't that particular user
>>account the only thing at risk? Shouldn't changing all passwords to
>>strong ones and deleting the infected user account and files be
>>sufficient?
>
> ----
> You would have to know EXACTLY what was compromised and that would be
> difficult to determine and clearly it would take a lot less time than
> simply backing up the data, wiping out the installation and reinstalling
> fresh. Once a box is owned by someone else, you can't trust anything
> including reports from things like rpm -Va. The only thing you might be
> able to trust is a check from tripwire which had the checksums stored on
> a read-only filesystem like a CD.
rpm -Va with a known good rpm (eg rescue cd) would do me.
--
Cheers
John
-- spambait
1aaaaaaa at computerdatasafe.com.au Z1aaaaaaa at computerdatasafe.com.au
Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/
do not reply off-list
More information about the fedora-list
mailing list