[TriLUG] attack

Joseph Tate dragonstrider at gmail.com
Tue Feb 22 22:11:37 EST 2005


When you're hacked, the best thing to do is wipe the disks and restore
from backups.

Now, if you have a system that's not patched, that system can be
hacked in moments.  When bringing a server up for the first time, or
after an extended disconnection, it's best to update all the packages
before connecting to the wild.  The other best thing to do is shutdown
all but the necessary services.  Make sure that all passwords are
"good", and that all default passwords have been changed.  Use
Iptables/Ipchains religiously for both incoming and outgoing
connections.

A server that hasn't been connected in a year most likely has a
distribution on it that is no longer being updated.  If you're going
to be using a system infrequently, or over a long period of time, pick
a distribution that is likely to stick around for a while, like
Debian, or CentOS, or one of the commercial distros, like RHEL or
SuSE.  They have slower release cycles and longer maintenance windows
than other popular distributions.


On Tue, 22 Feb 2005 21:43:20 EST, cate serino
<cms2945 at garnet.acns.fsu.edu> wrote:
> Hi,
> 
> After only having my server up for a few hours and to a state that I
> thought was fairly secure, I got hacked with what I think is a man in the
> middle attack.  Other than turning off ports (telnet, ect.), changing
> root passwords, and editing the hosts.allow and hosts.deny files, what
> can I do to secure my server.  I noticed that he/she was able to run
> ipchains and filter through his/her ip.  In addition, the he/she was able
> to mount a filesystem on my machine. I have flushed the ipchains and
> unmounted the filesystem.  Am I missing anything?  I have not had my
> server up for a year.  Has the Internet become that bad in one year?
> 
> Many thanks,
> 
> Cate Serino
> 
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc
> 


-- 
Joseph Tate
Personal e-mail: jtate AT dragonstrider DOT com
Web: http://www.dragonstrider.com



More information about the TriLUG mailing list