[BLU] Help... I've been hacked!
David Kramer
david at thekramers.net
Tue Mar 27 12:19:22 EST 2001
On Tue, 27 Mar 2001, Chris Janicki wrote:
> Hi, I'm brand new to Linux, although I know Solaris. I was working on my
> brand new Red Hat 6.2 Linux machine (soon to be my web server, email
> server, etc.) when I noticed an email returned to root. It was from
> Yahoo, saying that the destination's email box was full. The subject of
> the email was my IP address! Knowing that I hadn't sent any email, I did
> 'grep yahoo /bin/*' and found that email address in login, ps, ls, and
> netstat. I've been hacked, right?!
>
> 1) What can I do to replace those files? I spent many hours configuring
> box, so I don't want to start from scratch.
>
> 2) Is there anywhere else I should look for problems?
>
> 3) Is there any particular hole in RedHat 6.2 that I need to address.
> (It was preconfigured on the machine I bought from Penguin, in December.)
Take this advice from one who learned the hard way. You need to reformat
the hard drive and start over. You have no idea what files were left
behind or altered. As Sigorney Weaver says, "Nuke 'em from orbit. It's
the only way to be sure". It's sad, it's a lot of work, but they almost
always leave hidden ways back into your system.
You may want to copy off some text-only files (config, mail, cron, web
content) from your system before doing that, but make sure they're clean.
Sorry, dude. No other way.
And here's the lesson to be learned: ALL linux distributions from ALL
vendors more than a few weeks old have a whole host of packages that were
deemed to have security holes in them, often very serious ones. It is
essential that once you've installed Linux, you go back to your vendor and
install any updates to packages you are using immediately. And keep on
top of it, installing updates as they come out. You know the crackers are
watching the security lists.
Check out:
http://linuxsecurity.com
linux-security at redhat.com
bugzilla at redhat.com
comp.os.linux.security
http://www.freshmeat.net
-------------------------------------------------------------------
DDDD David Kramer http://thekramers.net
DK KD
DKK D "All my life, I always wanted to be somebody.
DK KD Now I see that I should have been more specific."
DDDD - Lily Tomlin
-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).
More information about the Discuss
mailing list