Craig White wrote:
Sounds like a guessed password then. Regardless, the best thing to do
is to rebuild from scratch and then set strong passwords on all
accounts. That is the only way to be sure the system is really back
under your control.
setting users' shells to /bin/false can help too. Ask can use of
tcpwrappers, both to control where acceptable connexions come from (if
you're not from _my_ area you can't get connected long enough to discuss
authentication) and to alert to attempts:
www:~# tail /etc/hosts.{allow,deny}
==> /etc/hosts.allow <==
#
# Example: ALL: LOCAL @some_netgroup
# ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
#
# If you're going to protect the portmapper use the name "portmap" for the
# daemon name. Remember that you can only use the keyword "ALL" and IP
# addresses (NOT host or domain names) for the portmapper. See portmap(8)
# and /usr/doc/portmap/portmapper.txt.gz for further information.
#
sshd: 192.168. 203.34. 220.235. 203.59. 203.55. 203.33. 202.72.
==> /etc/hosts.deny <==
# The PARANOID wildcard matches any host whose name does not match its
# address. You may wish to enable this to ensure any programs that don't
# validate looked up hostnames still leave understandable logs. In past
# versions of Debian this has been the default.
# ALL: PARANOID
sshd: ALL
false: ALL: spawn ((echo attack from %h;id -a) | \
/usr/bin/mail -s %d-%h root) &
www:~# cat /etc/xinetd.d/telnet
# default: off
# description: An internal xinetd service which gets the current system time
# then prints it out in a format like this: "Wed Nov 13 22:30:27 EST 2002".
# This is the tcp version.
service telnet
{
disable = no
socket_type = stream
protocol = tcp
user = games
wait = no
flags = NAMEINARGS
server = /usr/sbin/tcpd
server_args = /bin/false
}
www:~#
Read docs and/or try it out if you don't understand it.
Isn't rebuilding a little extreme? If the cracker got into an
unpriviledged user's account and no further isn't that particular user
account the only thing at risk? Shouldn't changing all passwords to
strong ones and deleting the infected user account and files be
sufficient?
----
You would have to know EXACTLY what was compromised and that would be
difficult to determine and clearly it would take a lot less time than
simply backing up the data, wiping out the installation and reinstalling
fresh. Once a box is owned by someone else, you can't trust anything
including reports from things like rpm -Va. The only thing you might be
able to trust is a check from tripwire which had the checksums stored on
a read-only filesystem like a CD.
rpm -Va with a known good rpm (eg rescue cd) would do me.
--
Cheers
John
-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxxxxxxxxx Z1aaaaaaa@xxxxxxxxxxxxxxxxxxxxxxx
Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/
do not reply off-list
