On Tue, 9 Feb 1999 [EMAIL PROTECTED] wrote:
> Is there a site where I can find all of the security holes for Redhat 5.2?
> I was hacked bad over the weekend and don't know where the compromise came
> from, it looked like a rootkit attack, all logs and logins were deleted. I
> had to go back to the re installation and now I am trying to turn off all
> the things that could cause another break in. All of your help is
> appreciated.
>
> Corey P. Larabie
> Clarkson Univerisity
Start by having a hard look at
http://www.cert.org/tech_tips/root_compromise.html
If possible, save your partition totally to a backup medium, so the actual
damage/programs/rootkit can be looked over.
It's especially important to see what actually happend because the
intruder probably put a packet sniffer on the machine, so the other
machines on your network can be compromised as well.
Then don't reinstall, clear everything and do a full install, there's
essentially no executables you can trust.
http://www.redhat.com/support/docs/errata.html has the updates for all
known exploits.
General advice:
Have a look in your inetd.conf and turn OFF anything you don't need,
especially the r* services, *finger, time, *talk, *stat, linuxconf.
Have a look at hosts.allow/deny to close down any host you don't actually
need to allow access from.
Have a look at ipfwadm/ipchains, and block access to all ports you don't
need open.
That'll give you the time you need to start making your machine really
safe:)
--
Henrik Olsen, Dawn Solutions I/S
URL=http://www.iaeste.dk/~henrik/
Get the rest there.
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
