[K12OSN] Help - possible hacking of our NFS/NIS LTSP server

Ron Freidel rfreidel at computergeex.com
Tue Mar 22 23:25:30 UTC 2005 

You could try running chkrootkit http://www.chkrootkit.org/, but if your
system was indeed compromised sometimes the best thing to do is to wipe the
system and start fresh.

The best way to avoid that situation is by making sure your user passwords are
not easily guessed, change passwords on a regular schedule, disable root ssh
login (in my opinion it should never be enabled by default), run sshd on a
different port than 22, drop any connection coming from Asia, or any network
you don't want to connect, read one of the many security howto's.

As a test one time I had a Linux box that I was planning to wipe out, I
changed the root password to password, then sat and watched, it took about ten
minutes for someone from Asia to login, before I unplugged the rj45 cable they
had created an accout, ftp'd some files and were starting to create some
folders, at that point I unplugged them from the net.

The changes took place so quickly it must have been a script.

Shane Stafford (staffords at glenburn.net) wrote:
>
> well it looks like someone compromised our NFS/NIS server.
>
> Someone has reported to UNET that our server was trying this ssh login
> brute force attack.  What is odd the report was on March 19 and the UNET
> folks looked today and didn't see anything.
>
> What can I do to look for this script or hack?  How do I make sure it
> doesn't happen, if it happens again, they filter out that server and our
> entire LTSP system relies on that  machine.
>
> I did find a test account logged in under odd circumstances, so I killed
> the processes and deleted the test account.  But I worry about what damage
> may be done.
>
> thanks for any advice
> Shane
>
> Shane Stafford, MCSE, MCT
> Director Information Services Glenburn School and Town
> Educational System Integrator/Network Engineer
> S & B Consulting
>
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
>

--
Ron Freidel
Sys Admin
Computer Geex, Inc.
(406) 491-3378

More information about the K12OSN mailing list