On Wed, 2005-07-20 at 14:25, Mike McCarty wrote: > I'm running FC2 now. I did a netstat and didn't see any connections > I couldn't account for. > > I have set up for FC2 legacy updates, and done a > > # yum update > > which pulled several packages. > > What should I do in order to defend against this sort of attack? > I'm not familiar with iptables, though I just looked, and it > didn't look like much was blocked. I don't have awstats, I guess, > as > > $ su - > # man awstats > No manual entry for awstats The first thing to do is evaluate your system to determine what might be a path into it. Are you running a web server that you have available from the Internet? If you do then you need to look at all open ports on your system. Either run a network scan your self from another location or you can use http://www.grc.com to run shieldsup which will scan your IP address and let you know which ports are exposed. If you have any ports exposed examine the service on those ports. HTTP, SSH, etc should be reviewed to make sure you are up to date on security patches for those services. Any service you don't need or use should be disabled and blocked by iptables. The default iptables should block everything unless you opened any ports during setup. As the someone in this thread indicated you should take the additional step of blocking outbound ports on your system except for those you use. Not many people do this. Many companies do this to prevent someone from running code that connects from inside the firewall to an external site. Run chkrootkit and rkhunter, setup tripwire and review the reports daily. Monitor your log files and check netstat periodically for anything strange. The OP was probably compromised via phpBB, that is known to have various security holes. If you are not providing any services to the Internet and have iptables locked down you should not have much of a problem. Most linux exploits require some poorly coded application leaving a path into the system that has a buffer overflow or some other means of getting code loaded on to the system that can be executed. From there the hacker gets additional code loaded on the system to either gain additional privileges via other security holes (packages that have not had security updates) or simply to setup spam and bot packages to use the system for their own purposes. And to check for awstats (I don't think it comes with a man page) run: find / -name awstats.pl -print Or in a browser try: http://localhost/cgi-bin/awstats.pl Assuming that it has been installed in the cgi-bin directory. -- Scot L. Harris webid@xxxxxxxxxx God, I ask for patience -- and I want it right now!