Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Server hacked, Desperate for help with FC6

Matthew Gillen wrote:
  > You mean like tripwire?  That wouldn't have necessarily detected 
> unless a root-kit was installed in such a way as to replace system binaries.
> But I doubt they'd bother with that unless the attacker was looking for
> something very specific (ie they have a user targeted and want his password,
> so they replace the 'login' program).  Typical script kiddies just want to
> install an irc-bot or spam-server, and won't mess with the rest of the
> system once they have root access.

Tripwire et al can monitor config file changes, too.  In that case, it 
would have helped.

Another thing I need to work out on my end is simply looking at the 
server and its logfiles more often.  I used to use the one box for 
firewall, server, and workstation.  I got a laptop a while ago, and use 
that as my workstation, so I'm not sitting in front of the box as much. 
  I need to set up a logfile monitor.

I was also thinking of putting /etc in subversion and running svn st 
every now and then and sending the results to an email.  I've always 
been afraid that some admin program (or the /etc/rc* directories) would 
choke on the .svn directories, but I think it's worth a try.  Anyone 
ever do that?

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /