Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Hi there, if he corrupted your security do not delete any of the system, do not re-install everything befor you have found the precise hole he used, and report it to where you can. (Specialy the owner(s) of the software) You should also retrace the malicious user because it well know what comes, goes, and comes back. IF he deleted all thelogs no worrie put the system back up as it is corrupted but stay 100% of the day and night tailing all logs and tcpdump (or sniffit -i).
Now to get your password back, ive install a late version of red-hat (erreta i think) and it came will a Grub (i had the choise) hopfully ull have LiLo running.
Un Plug Your box, or reboot it used the Magic Sys Keys (kernel hacking must be enabled) and shut down your system.
At the boot up, you get lilo press tab / cap whatever to get the lilo:
and type lilo :"linux init=/bin/sh rw" i think else you must look up on google. When you succeed simple run passwd and change the root password.
YOu should also install aide, bastille, and all other defense and intrusion detection software.
Originally posted by Eternal ()YOu should also install aide, bastille, and all other defense and intrusion detection software.
In addition to this, if you can't establish a probable cause of compromise by using Aide, Tripwire and chkrootkit, please reinstall from scratch and use different passwords. Leaving a backdoor is quite simple, and if the passwords are cracked access is even simpler.
if you are remote logging, you may want to look into hacking syslog to read the syslog.conf file from somewhere else, then place the normal conf file there. that way the hacker doesn't know that you are remote logging and may not look for them.
In my experience of being hacked twice this year on a full production server (serving approx 30 websites + email) you should be wary of just 'rebooting' the server without finding out what damage has been done first and what tronjans, if any, have been installed.
In some cases, rebooting will basically bork your machine out totally !
In any case, you should consider running :-
Also, restrict access in total Paranoid mode -
disable anonymous ftp and consider using sftp
only allow ssh sessions from one fixed IP address
remove any unneccessary running services
keep the amount of users on your system at a bare
minimum - if you have users getting email from your
system but they don't need to ever log into the system,
make sure they don't have a shell account !
After a fresh install and setup, back up your critical server
configuration files - basically just backup the whole of /etc
And of course, check security advisories on a daily basis.
Originally posted by sancho5 the coroner's toolkit comes to mind.
Hmm. I would be surprised if ppl have TCT compiled and ready (anyone tried Biatchux?), read the manuals more than once and practice with it as well. TCT ain't the easiest stuff to start with, you need to have some forensics knowledge and time, like in aeons of time :-]