help i've been hacked. :(
Chris W. Parker
cparker at swatgear.com
Sat Aug 20 21:38:12 UTC 2005
Eris Caffee <mailto:eris-redhat-list at eldalin.com>
on Saturday, August 20, 2005 12:04 PM said:
> The first thing to do is download and run the chkrootkit and rkhunter
> programs. It It sounds like you might have a rootkit installed, and
> these programs may be able to identify which one you have.
I will give them a try thanks.
> Honestly,
> this information may turn out not to be too useful since you are
> already cracked, but you should get these programs anyway and start
> running them on a regular basis. They can at least help you to
> quickly notice if something like this ever happens again.
Thanks.
> As for how you were cracked, don't assume that it was through an
> unpatched vulnerability. I work for a very large ISP and I see
> cracked servers a few times a week and many break ins are done by
> exploiting improperly configured security.
Yeah that's possible.
> For example, check to see
> if your /tmp directory is mounted with the noexec and nosuid options.
> Just enabling those options can prevent a lot of cracks since many
> attacks rely on being able to exploit a weak cgi script to upload a
> program into /tmp and run it.
It's was pretty much just a default install of RH9.
> Good luck! Getting cracked like this is no fun at all and can really
> cost money if your business depends on it. Try to use this
> opportunity to learn as much as you can about security so you can
> prevent this from happening again.
Thanks for all the information!
Chris.
More information about the redhat-list
mailing list