On Fri, Jun 15, 2001 at 03:41:39PM -0400, Michael Stutz wrote: > > what I'd like to know from you all is a) was this failed -- is there > any way of knowing whether or not I've been cracked and b) what should > I do next? > Yes, it is a failed crack attempt. You know it failed because if it succeeded then rpc.statd would have crashed before writing the log to syslog. The best way to try and find out whether you've been cracked or not (in future cases) is to install something like tripwire, which walks all over your filesystems generating a database of attributes of all the files and directories. Then, to check for possible damage, you run an integrity check in which tripwire walks all over the same files and compares their attributes against those in its database. It alerts you of any differences. Tripwire is not completely failsafe, though. No security tool is. It is possible to mis-configure tripwire (at least in the new 2.xx version) and have it fail to check some important files. It is also possible for the intruder to update tripwire's database once he's made the modifications. You can protect against that by putting the tripwire database on a read only medium, like a floppy disk with the write tab moved to the write protected position. Even then, though, it's possible that the intruder used a kernel module rootkit (knark, for example) to *really* hide their changes. If knark is used correctly, tripwire and other related tools can't detect the changes. What you should do now is make sure you're running an up to date installation of Debian. Ensure that you have a security source in /etc/apt/sources.list. For example: deb http://security.debian.org/ stable/updates main and run apt-get update && apt-get dist-upgrade. Then install tripwire and learn how to use it. I suggest that you install the free (GPL free) 2.x.x version, available at www.tripwire.org. Then read the security HOWTO at http://www.linuxdoc.org/HOWTO/Security-HOWTO.html That should be enough to get you started, I think. Remember that the only secure computer is one that is locked in a safe and not plugged in. You really need to keep security in mind all the time, since any computer used by people (or even visible to people) can potentially be abused. You can never really say "This box is secure. I am done." You'll be proven wrong before you know it. noah -- _______________________________________________________ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html
Attachment:
pgpSVW_t9blNF.pgp
Description: PGP signature