Security Incidents mailing list archives
Re: Questions = Thanks
From: "Pascal Nobus" <pascal () nobus be>
Date: Thu, 22 Nov 2001 00:18:07 +0100
----- Original Message ----- From: "Ihsahn Diablo" <traktopika () hotmail com>
So i have one more thing to ask you: to give me some good links about
what
to do after a break or what to do if somebody is in the middle of an
atack. boot your server up in single user mode enter these commands rpm -qa|sed "s/^/rpm --verify /g" > /root/verify-rpms chmod +x /root/verify-rpms /root/verify-rpms > /root/verify-results wait for this list to complete if you see files like /bin/ls, /bin/ps, /bin/login, /etc/pam.d/login, /etc/pam.d/passwd, /etc/rc.d/rc.sysinit, /dev/*, /etc/services, /usr/bin/find showing up in this list then it's very likely you have been hacked into you can determine which rpm each of these files came from and reinstall the RPM for them from a secure media (Red Hat 6.2 CDROM) via rpm -qf /bin/ls #will tell you which rpm it came from fileutils-4.0-21 rpm -ev --nodeps fileutils #will remove fileutils rpm package # if you get error saying a file like /bin/ls could not be deleted # run the command `chattr -ia /bin/ls` or whatever file then remove # that file by hand `rm -f /bin/ls` rpm -Uvvh /mnt/cdrom/RedHat/RPMS/fileutils* and you continue to do this process for all the files once you did all this run passwd root and set a new root password and disable all shell accounts via passwd -l username then go up to init 3 init 3 then run netstat -taupen -ww look for any unusual process listening to funny ports with funny names After that take a look at iptables (or ipchains) and configure yourself a real tighten firewalls (i.e. DENY all, and open only the ports you need). Perhaps better: If you got and old PC, put MySQL and SSL-Apache on it, and install a Intrusion Detection System on it, plug it in your local network and all the 'bad'-traffic is monitored an logged. I'm very pleased with snort (http://www.snort.org) and using Demarc as a tool to analyze everything (http://www.demarc.org). Good luck! Pascal ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: Questions = Thanks Ihsahn Diablo (Nov 21)
- Re: Questions = Thanks Pascal Nobus (Nov 21)
- Re: Questions = Thanks Devdas Bhagat (Nov 22)
- Re: Questions = Thanks Pascal Nobus (Nov 21)