Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
just after installing Redhat 7.3 (Cheapbytes pink tie version) and put it online, i found my new box keeping ftping out!!!
the destination was 18.104.22.168, which telneted my box minutes later and got refused by the tcp wrapper.
is there a trojan in my newly installed system? if yes, how can I find it out. currently, I could use ethereal to monitor packets, but I don't know which program requested ftp. i also checked my box with chkrootkit but found nothing abnormal.
you need to get checkrootkit (chrootkit) program and run it to see what root kit you got. Backup all your data, do some reading about security, get everything ready, and then reinstall system (but when you have new system, make sure you make a good firewall, shut down all not needed services, and don't use any comunication with clear text passwords, eliminate shells from users, except for ones that need to login through ssh, drop telnet)
If the box is regarded as suspect running chkrootkit *without verified clean* binaries won't get you anywhere . The same goes for verifying installed rpm's against the rpm database.
Best thing would be to check running the biatchux cd (somewhere at sourceforge) it's got chkrootkit on it as well as a myriad of other tools.
Except for time consuming manual examination of the filesystem for dot-files, dot-dirs, running strings on binaries trying to find signs of compromise and trying to undelete/recover bits 'n pieces about the only thing you can do is go tru logfiles, (w|u)tmp entries, passwd/group and config files trying to find anomalies. However, if they used a zapper even that might not turn up anything.
If unsure, better save your *human readable data* (no binaries), and like Noerr said reinstall and secure the system.