In linux.debian.security, you wrote:
> I am curious if the following is an example of a buffer overflow. I
> noticed this in my syslog - and the following day had someone logged in
> from an IP I'm not aware of.
> I changed the passwords - and added an entry to the input chain to block
> the IP, but am wondering what other things I should do?
> Should I remove /bin/sh for something less obvious as a general
> protection from buffer overflows?
If you suspect your machine was r00ted,
1. Take it off the net _now_.
2. If you want to do a post-mortem, boot from "known good" CD or plug
the hd into a "known good" box.
3. Post mortem or not, wipe everything out (as in "fdisk") and reinstall
The reason is that the intruder could install hacked versions of utilities
like ps, ls, lsmod etc. that won't show backdoor processes and hacked files,
and/or a kernel module that does the same at OS level. Your logs may have
been sanitized, too. You cannot trust any program on a r00ted box.
In cyberspace no one can hear you laugh -- Bill Bumgarner in RISKS 21.65
- Re: '(no
- From: Momchil Velikov <firstname.lastname@example.org>
- Re: '(no
- From: Giacomo Mulas <email@example.com>