Once again I find myself trying to help someone piece together how an intruder managed to get into their system. The system was way out of date (FC6) so it is no surprise that they got compromised. What I can tell, the intruder managed to get root which allowed them to remove the iptables file and lower the protection on ssh to allow unix passwords. The attacker then installed an ssh-probing client that was installed in /root. That lowered ssh security allowed a second intrusion at user level (probably by password guessing) where an IRC bot was installed and run from cron with normal user permissions. I would have been nice to know when and how they initially got in. The site runs a handful of daemons (postix, named, ntp, apache, dovecot), so any of them could have allowed the initial intrution. They didn't have selinux enabled, so that compounded problems. Clearly the top level answer is to just impress upon them the fact that they need to stay current and keep selinux enabled. It still would be nice to know how the attackers got in though. The real issue is that there isn't a good activity log. While I can install tripwire to watch for changed files, it probably won't tell me how they got in. Is there something that addresses that problem? Some poor sucker always has to be the first victim of a new attack. It would be nice to know which service to disable or reconfigure until a fix is distributed. Is there some way to track intruders that I'm missing? -wolfgang -- Wolfgang S. Rupprecht http://www.wsrcc.com/wolfgang/ (IPv6-only) -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines