Re: Got hacked by Ramen-style attack
hi ya
> > Nov 21 03:29:36 lan1 -- MARK --
> > Nov 21 03:32:08 lan1 SERVER[2757]: Dispatch_input: bad request line
> >
> 'BBÜóÿ¿Ýóÿ¿Þóÿ¿ßóÿ¿XXXXXXXXXXXXXXXXXX%.156u%300$n%.21u%301$nsecurity%302$n%.
> 192u
they tried.... doesn't mean they got in
> > I searched the system for fragments of the Ramen worm after reboot but I
> > found nothing suspicious.
how did you check ???
http://www.ists.dartmouth.edu/IRIA/knowledge_base/tools/ramenfind.htm
- lots of tools to check for stuff
to check for other root kits they may have used/hidden/left behind...
http://www.chkrootkit.org
- many other tools ( search for rootkit, trojans, etc.. )
if you re-install without digging deeper...you wont learn anything new ??
if you do dig deeper..maybe you'd find lots of suspicious files???
re-install assumes oyu patch it up to current levels,
and that your backup data does NOT have any trojans
Debian Security howto
http://www.debian.org/doc/manuals/securing-debian-howto/
c ya
alvin
http://www.Linux-Sec.net .. rest of the hardening howto ..
> > The attack seemed to come over nmbd, although all ports, exept inetd are
> > blocked to the
> > outside
> > vi ipchains. I had a number of rejected packets to port 137 immediately
> > before,
> > nmbd crashed
> > and
> > the lprng exploit started.
> > So there are some questions, I would like to pose :
> > Is Woody's lprng still vulnerable ? I've got the latest version.
> > Is the shown exploit a sign that someone already was in there, or just for
> > an
> > attempt
> > ?
> > Can I find possible backdoors, or will I have to re-install ?
> >
Reply to: