civileme grabbed a keyboard and wrote:
>
> Well, you noted I was very terse in my message. I hate to be the bearer
> of bad news. But first try
> Put in CD#1
> cd /mnt/cdrom
> rpm -ivh --force basesystem-8.2-1mdk.i586.rpm
>
> This will generally blow away anything done to /bin /sbin or /lib
>
> Use the now good ls and rgrep tools to scan other directories for
> martians--if you see any, by God, push the button.
Thanks for the suggestion. I'll do that. Although at this point, I'm
rattled enough by what happened that I'm probably going to be likely to
push the button, regardless. Like that one reply I got said, "if you're
not sure, wipe." Even if I *don't* find anything, I'm going to constantly
be wondering if I just missed something....
> If you are in an unfriendly environment it is time to consider a
> separate firewall machine between you and the web. Mandrake SNF is
> exceptionally conservative, not even allowing a DMZ, and is configurable
> from inside via a web browser. MNF is coming soon and will have
> stateful firewalling which is an additional degree of security.
As mentioned in a previous reply to another, I'm behind a DSL broadband
router, which effectively acts as a firewall. If I don't tell it to
forward a particular incoming port to the Linux machine, the packet is
quietly dropped on the floor.
> Now as to how this may happen, have you ever connected via ftp? Or
> downloaded by http? There is a way (and damned near undetectable if you
> are more than a few hops from both client and server) to desynchronize
> the ends of a TCP connection and become a machine in the middle, acting
> as server to the client and client to the server. (There is also
> another way of doing this with https, sometimes called
> Man-in-the-middle.) These are very sophisticated attacks run by
> knowledgeable blackhats and not by script kiddies.
Sounds like it.
Just FYI, I usually don't do much web browsing from the Linux machine
itself. I do most of that (as well as my FTPing) from my Win98SE box. I
use the Linux box to provide me with a small news server (leafnode), squid
and sleezeball (HTTP/FTP caching proxy and ad banner filter), mail server
(postfix, which is configured to recognize the Win98SE's box's IP address
as friendly for relay) and web server (the latest Apache RPM from one of
the Mandrake security update mirrors).
The only FTPing that I've really been doing directly from the Linux box has
been via rpmdrake to get a security update, or to grab an RPM from
rpmfind.net once in a while. So I'm still at something of a loss regarding
how this could have happened, assuming that a breach has occurred. That's
the bitch of it - the not knowing aspect. I may well be wiping and
reinstalling my system for nothing, but I won't be sure that I'm not hacked
until I've done so.
And like I said, I've turned off ports 20-22 forwarding from the DSL router
to the Linux box. So assuming that someone has figured out a way to login
to my machine, I've closed the door on their being able to access it. Now
unless the person wants to scan 65,535 ports looking for where I moved the
sshd port to, he won't be able to get in, and hopefully will just go away.
> To avoid such problems,
>
> NEVER accept self-signed certirficates.
>
> NEVER download pure binaries--download source unless it is something
> like a full iso.
>
> Grab md5sums for what you do download from a different mirror (and check
> them). Don't download isos for which there are no md5sums available.
> (Exception: Really old stuff or really new--crackers are unlikely to
> have infected copise to supply.
Good advise, all around. Thanks!
--Dave
--
David Guntner GEnie: Just say NO!
http://www.akaMail.com/pgpkey/davidg or key server
for PGP Public key
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
