And probably, as bad if not worst, your security procedures inside your Intranet is failing. Latest statistics indicate that about 50 percent of security breaches are perpetrated from inside the Intranet and still counting.
I believe that the balance is tipping towards security breaches
from within the Intranet as more and more sophisticated hacking tools
become available from the Internet. All the "bad guys" are not from the
"outside". And the perpetuators are may be less of the "guru" these days and
still be able to implant "trojans" and inflict substantial damage in your
servers.
You may have a secure Firewall protecting your network against Internet perpetuators; are you confident your internal security is reliable ? In other words "The Firewall" is no longer the fortress that we were used to thinking and be comfortable with in our sleeps at night; the pertpetuator, could be, is from within.
Check this site and give your intranet and internet security the super-boost, if you are not already:
http://web.mit.edu/kerberos/www/ http://www.openafs.org/
Rowling, Jill wrote:
Just shut the machine down as soon as possible. Even get the local janitor to do it if you can't get to the site. Rebooting it won't help. All processes and software are potentially compromised, including the behaviour of the TCP stack, file mod dates, really everything. The sensible way about it is to "have an outage" on that machine, and switch over to your alternate server which is patched and up-to-date (ahh hopefully you have one...).
Regards,
Jill.
-----Original Message-----
From: Voytek [mailto:[EMAIL PROTECTED] Sent: Wednesday, 6 April 2005 8:16 AM
To: slug@slug.org.au
Subject: [SLUG] dealing with compromised machine ?
I have a compromised RH73 machine, until such time as I can pull it down, what can I do to identify and shut down any rogue processes/backdoors ?
BDC scan identified: ---- BDC/Linux-Console v7.0 (build 2492) (i386) (Dec 11 2003 13:24:00) Copyright (C) 1996-2003 SOFTWIN SRL. All rights reserved.
/var/tmp/mremap_pte infected: Linux.OSF.8759 ...(several more) /var/tmp/tlsd.pl infected: Backdoor.Perl.Termapp.A ... * packed with (Upx) * packed with (ExePack 3.69) * packed with (ExePack 3.69) ----
additionally, there was baddies in and below /tmp
I've removed all the baddies, but, I expect there will be some open ports ? is there a way to shut them in the interim period till I can get to the machine ?
-- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
