[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] I got hacked.........

To add to all the good advice given so far on this topic, the best philosophy to assume with regard to security is
1) you will never be totally secure, sooner or later something will get compromised. This is actually true, not just a belief.
2) if you want to be secure most of the time you have to be really paranoid about it. Not just 'hmm, let's see what the security journal advices me to do this month?' but actually constantly thinking about it. Things like, first thing you do after su'ing to root is run netstat -nap | less and checking for things (that of course, implies that you run tripwire every day or more often (on a scheduled basis) to make sure netstat hasn't been tinkered with, it also assumes only root can execute netstat along with most other network related utilities) and about a hundred other things like that at the very least.

A common misconception people seem to have is expecting software to be secure. It never is, just like you house never is anywhere close to secure. Anyone can kick in your door and walk in. The only thing that saves you most of the time is the fact that the incentive to kick in your door is dramatically decreased by police activity. Not so on the Internet.

To quote the CEO of Intel, "Only the paranoid survive".


Michael Cortes wrote:

It would appear that someone used SSH to get into my system. I decided to install sshd and stop telnet'ing because of the security risk, as soon as I do it, someone got in.

Anyhow, here is what I suspect so far:

1. when they got in, they created the user "cgi"
2. they added "unset HISTFILE" and "unset HISTSAVE" to the root's .bash_profile. This casused root to not save the history so I couldn't see what was run as root.
3. logging is not happening. I have checked my log files and the last entries are about the time I first detected the break in.

So my questions are:

Did I do right by deleting the cgi user?  Was this user necessary?
How do I turn on logging back on?  I have no idea where to look.
What is a good/quick way to tell which users have no password set?

Thank you,

Michael Cortes Fort LeBoeuf School District 34 East 9th Street PO Box 810 Waterford PA 16411-0810 814.796.4795 Fax1 814.796.3358 Fax2 978-389-1258

K12OSN mailing list
K12OSN redhat com
For more info see <http://www.k12os.org>

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]