>Date: Fri, 26 Nov 1999 09:46:52 -0700
>From: Erik Andersen <[EMAIL PROTECTED]>
>To: Laurent SEROR <[EMAIL PROTECTED]>
>> One of my server has been hacked (Linux RH 5.1).
>> The hacker put a trojan named 'crund' this is the second time
>> this happen and I believe that it is the same person.
> If this is the second time, why after the first time didn't
> you upgrade to a newer distribution that does not have all
> the known security holes in RH 5.1? Whenever a machine is
This is good idea. There are tens of documented security
holes in older version of Linux...
> compromised, unless you are _really_ good with Linux, you
> should back up any data you wish to save and then reinstall.
> Without that, you can't be sure everything from the rootkit
Just RedHat has something useful: rpm. Use "rpm -V -a" to get
info what have been modified; but for a case hacker changed
rpm database too, use md5sum to get its checksum after your
modification, write the value somewhere, and later compare it.
Closing security hole the hacker used is a must. Lately hackers
use IMAP service, or NFS (rpc.mountd), or FTP server bugs (line
too long for first two, dir name too long for last).
And I still do not know which RH version has these holes closed.
Jerzy
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
