For the 1 1/2 cents worth, this is how I, a non sys admin person, manage linux security. My server has been hacked a while back while using Slackware 8 (or so) when there was a SSL/SSH bug which I never got around to fix. I guess using Fedora gives me a better peace of mind as libraries are updated on a daily basis. Out of the box, Slackware does not have this auto update feature. Probably because any slackware peeps prefers to build and package from src. A basic rule that I've followed is not to run any services that I am not using. For any services that are needed, I make sure that I know how to configure them at least to intermediate level. Spend a few hours to set it up properly, create a documentation in human understandable language, it'll go a long way. One way or another, actively configure and know your firewall settings. Some time ago, I swore I've learned everything about iptables, but since I've my hardware firewall with a dumbed down interface, it's what I've been using since. On 3/23/07, Manuel Arostegui Ramirez <manuel@xxxxxxxxxxxxxx> wrote:
On Friday 23 March 2007 13:40:45 Schnulli wrote: > Well, we got also infected with this "bastard" > ok, we´running Mandrake 10.2 (the good old one) but same probbs. > > How i found it? > i was looking what is running on this MDK... uuuuuuhhhhh whats that > => APACHE -DSSL ??? hmmm with high CPU Load.... i was wondering. > Also o had lately lags in our bandwidth.... alot spam Mails and a few > other strange things. > Ok.. time to do smth...... > In our case this is bastard tells you i am "APACHE -DSSL" WRONG!!!! > this is a Perl Deamon connecting to the Irc Network and spreading all > infos of ur sys, AND!!!! gives them full access to ur Server....... > What to do???? Where the heck does it load from? > Well.... it is a Exploit used by hackers to hijack Boards, no matter > if phpBB, Joomla or other.. its Code injection and execution !! once > u got infected u r having a probb we DONT know at time a solution to > kick this lil baby off, not yet..... > What we did? > well... this exploid needds to load external code to execute.... we > found where and how it starts up, in our case it is the file > "borek.txt" (search for it by google etc. and you will find similar > probbs;) ) > OK... we saw where this bastard tryed to load it´s code... so we > blocked this IP. This will give us now the time and chance to search > how it works and maybe find a solution to fix it and close this > backdoor/bug > When u deny/drop/reject access to the IP where the code is placed, > the deamon cant start up.. simple? yes, but no solution..... > > We´ll finger out how and what it is and by chance bring u all (and > us) a solution ti fix it > > cheers from Germany, > Schnulli > > By the way, when still someone has a solution feel free to post it > here or leave me a note > Sorry about reading you have been hacked. Well, it depends on the scenario, of course, but in mine, I have the public server with a restricted network policy, I mean, the only output connection allowed is the one made to the apt-get servers. Any other connection will be refused. So, in case we were hacked and that -DSSL running, it wouldn´t send any piece of information, at least. We´re also using Babel Enterprise ( http://babel.sf.net ) in order to keep our processes and services under control, so if there´s any other process running aside from the ones we already know and allow,it will be reported. Hope this helps. All the best. -- Manuel Arostegui Ramirez. Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues. -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
-- Chu Jeang Tan chujtan@xxxxxxxxx
