Hello,
This past week I ran into some problems on my RedHat 6.0 IP Masq box at
home. I was no longer able to 'ssh' to the machine and my friends were
unable to connect to the Quake3test server with any reliability. (They
could connect, but only for a few moments with a lot more lag than usual) I
had installed a fresh copy of RH 6.0 (without any security updates) on Oct.
2. Before I put the machine on the Internet, I installed Portsentry. I had
hoped that installing Portsentry and disabling everything except the bare
essentials, including; HTTPD, IPOP3D (with IMAP disbaled), DHCPD, and SAMBA
would protect me from most exploits. Apparently not. This is what I found
on my system after attempting to back everything up:
In /usr/bin, there was a symlink called 'mh' which pointed to '.' There
were also quite a few other symlinks that I hadn't seen on my other RedHat
systems but could have been part of something I installed. The date the
'mh' symlink was created was Oct. 6. There was also a symlink called '['
which pointed to a binary on the system called 'test'. There were quite a
few symlinks that pointed to things like '../../sbin/halt', etc... These
MAY be normal, but have not seen them before and would suspect they are the
signs of a compromised box.
I am going to zero out the hard drive and re-install RH Linux again. This
time I am going with RH 6.1 and the latest security updates. I will also
install the latest Portsentry and 'ssh/sshd'. Lastly, before I put the box
on the net, I will run a checksum program (like TripWire) that way I will be
able to verify that something has changed in the future.
The question; Is there a decent RedHat only security list that may keep me
abreast of the latest exploits and provide more security info than this list
can?
Thanks,
George Lenzer
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.