On Nov 1, Tom Laurie claimed:
> I've helped a little with other gnhlug members to set up Concord Christian's
> Linux box connected to their Mediaone cable running IPChains. They got a
> call from ATT Broadband yesterday saying that their computer was being used
> to hack into other computers and sure enough, when you reboot their server
> it says Zombie at some point.
>
> Does anyone know how to clean the Zombie off of their server?
The word "reinstallation" comes to mind. Once a box has been hacked, you
can't trust ANYTHING on it. The unfortunate answer is that you will need
to reinstall the entire box.
> Once it is off, how can I protect against it ?
A couple of general guidelines:
1) If you don't need it, don't run it. Distributions have a tendancy to
come with a lot of services turned on. Disable anything you don't
use. If it ain't runnin', a cracker can't use it to get in.
2) Make sure you install updates to everything you have on your box. More
to the point, keep current with updates. Security is not a "one time
setup" kind of situation.
3) Get rid of insecure protocols like ftp, telnet, and pop - replace them
with secure versions such as openssh and pop-ssl.
4) Do some proactive checking. Use a tool such as Port Sentry
(http://www.psionic.com/abacus/portsentry/) to see when you are being
scanned.
Good luck. If you like, once you have the box back up and running, I'd be
happy to take a look as an outsider and see if there are any obvious
security vulnerabilities.
-Cole
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
