civileme grabbed a keyboard and wrote: > > Well, you noted I was very terse in my message. I hate to be the bearer > of bad news. But first try > Put in CD#1 > cd /mnt/cdrom > rpm -ivh --force basesystem-8.2-1mdk.i586.rpm > > This will generally blow away anything done to /bin /sbin or /lib > > Use the now good ls and rgrep tools to scan other directories for > martians--if you see any, by God, push the button.
Thanks for the suggestion. I'll do that. Although at this point, I'm rattled enough by what happened that I'm probably going to be likely to push the button, regardless. Like that one reply I got said, "if you're not sure, wipe." Even if I *don't* find anything, I'm going to constantly be wondering if I just missed something.... > If you are in an unfriendly environment it is time to consider a > separate firewall machine between you and the web. Mandrake SNF is > exceptionally conservative, not even allowing a DMZ, and is configurable > from inside via a web browser. MNF is coming soon and will have > stateful firewalling which is an additional degree of security. As mentioned in a previous reply to another, I'm behind a DSL broadband router, which effectively acts as a firewall. If I don't tell it to forward a particular incoming port to the Linux machine, the packet is quietly dropped on the floor. > Now as to how this may happen, have you ever connected via ftp? Or > downloaded by http? There is a way (and damned near undetectable if you > are more than a few hops from both client and server) to desynchronize > the ends of a TCP connection and become a machine in the middle, acting > as server to the client and client to the server. (There is also > another way of doing this with https, sometimes called > Man-in-the-middle.) These are very sophisticated attacks run by > knowledgeable blackhats and not by script kiddies. Sounds like it. Just FYI, I usually don't do much web browsing from the Linux machine itself. I do most of that (as well as my FTPing) from my Win98SE box. I use the Linux box to provide me with a small news server (leafnode), squid and sleezeball (HTTP/FTP caching proxy and ad banner filter), mail server (postfix, which is configured to recognize the Win98SE's box's IP address as friendly for relay) and web server (the latest Apache RPM from one of the Mandrake security update mirrors). The only FTPing that I've really been doing directly from the Linux box has been via rpmdrake to get a security update, or to grab an RPM from rpmfind.net once in a while. So I'm still at something of a loss regarding how this could have happened, assuming that a breach has occurred. That's the bitch of it - the not knowing aspect. I may well be wiping and reinstalling my system for nothing, but I won't be sure that I'm not hacked until I've done so. And like I said, I've turned off ports 20-22 forwarding from the DSL router to the Linux box. So assuming that someone has figured out a way to login to my machine, I've closed the door on their being able to access it. Now unless the person wants to scan 65,535 ports looking for where I moved the sshd port to, he won't be able to get in, and hopefully will just go away. > To avoid such problems, > > NEVER accept self-signed certirficates. > > NEVER download pure binaries--download source unless it is something > like a full iso. > > Grab md5sums for what you do download from a different mirror (and check > them). Don't download isos for which there are no md5sums available. > (Exception: Really old stuff or really new--crackers are unlikely to > have infected copise to supply. Good advise, all around. Thanks! --Dave -- David Guntner GEnie: Just say NO! http://www.akaMail.com/pgpkey/davidg or key server for PGP Public key
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com