Server hacked, Desperate for help with FC6
David Kramer
david at thekramers.net
Sat Nov 25 15:32:25 EST 2006
Matthew Gillen wrote:
> You mean like tripwire? That wouldn't have necessarily detected
anything,
> unless a root-kit was installed in such a way as to replace system binaries.
> But I doubt they'd bother with that unless the attacker was looking for
> something very specific (ie they have a user targeted and want his password,
> so they replace the 'login' program). Typical script kiddies just want to
> install an irc-bot or spam-server, and won't mess with the rest of the
> system once they have root access.
Tripwire et al can monitor config file changes, too. In that case, it
would have helped.
Another thing I need to work out on my end is simply looking at the
server and its logfiles more often. I used to use the one box for
firewall, server, and workstation. I got a laptop a while ago, and use
that as my workstation, so I'm not sitting in front of the box as much.
I need to set up a logfile monitor.
I was also thinking of putting /etc in subversion and running svn st
every now and then and sending the results to an email. I've always
been afraid that some admin program (or the /etc/rc* directories) would
choke on the .svn directories, but I think it's worth a try. Anyone
ever do that?
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the Discuss
mailing list