Re: hacked my Linux Box
"Dzuy M. Nguyen" wrote:
>
> Yeah, I checked the /var/log and they did delete the log files.
>
> I started noticing the computer making a lot of noises, thought it was
> a bad fan. It got worse and worse. I didn't think anything of it. Then I
> couldn't get access to it via telnet, so I tried to get on locally. I
> had the XFree86 logon screen going, and I noticed new users that I'd
> never seen before, i.e. user names "dead", "a", "x", "z".
>
> I did some prying around, and found this person that cracked my machine
> gave these were "root" users. Anyways, that's what happened.
It's probably best that you rebuild the machine since it may be
impossible to find everything that has been done to it.
I would suggest installing Tripwire on the newly installed machine - and
do it immediately after installation. Tripwire is a tool that performs
checksums on the files on the system so changes can be easily detected.
Make sure you are running the absolute minimum of services that you
require. If a service is not active, security problems with that service
should not affect you.
Use secure alternatives to services, for example: install and use ssh
instead of telnet (disable telnet).
Setup your tcpwrappers conf files (hosts.allow and hosts.deny) to
restrict the use of active services. Use ipchains / ipfwadm / linux-2.4
equiv (ipnatctl?) to further restrict access.
Make sure you know exactly what services you have installed and follow
the security alerts. Linux Weekly News (http://lwn.net/) security
section once a week is a good place to start. It also has links to other
security related sites. Debian announces security alerts and fixes for
Debian GNU/Linux on its web page (http://www.debian.org).
This is just a rough guide, but should be a good start.
Also, look on the LDP (http://www.linuxdoc.org) for security related
documentation.
Matthew
Reply to: