Re: Questions = Thanks

From: Pascal Nobus (pascalat_private)
Date: Wed Nov 21 2001 - 15:18:07 PST

Next message: Jeff Anderson-Lee: "Re: [unisog] MS-SQL Worm?"

Previous message: Rob Keown: "MSLV.exe"
In reply to: Ihsahn Diablo: "RE: Questions = Thanks"
Next in thread: Devdas Bhagat: "Re: Questions = Thanks"
Reply: Devdas Bhagat: "Re: Questions = Thanks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

----- Original Message -----
From: "Ihsahn Diablo" <traktopikaat_private>

>   So i have one more thing to ask you: to give me some good links about
what
> to do after a break or what to do if somebody is in the middle of an
atack.

boot your server up in single user mode
enter these commands
rpm -qa|sed "s/^/rpm --verify /g" > /root/verify-rpms
chmod +x /root/verify-rpms
/root/verify-rpms > /root/verify-results

wait for this list to complete

if you see files like /bin/ls, /bin/ps, /bin/login, /etc/pam.d/login,
/etc/pam.d/passwd, /etc/rc.d/rc.sysinit, /dev/*, /etc/services,
/usr/bin/find
showing up in this list then it's very likely you have been hacked into

you can determine which rpm each of these files came from and reinstall
the RPM for them from a secure media (Red Hat 6.2 CDROM) via

rpm -qf /bin/ls #will tell you which rpm it came from
fileutils-4.0-21

rpm -ev --nodeps fileutils #will remove fileutils rpm package
# if you get error saying a file like /bin/ls could not be deleted
# run the command `chattr -ia /bin/ls` or whatever file then remove
# that file by hand `rm -f /bin/ls`

rpm -Uvvh /mnt/cdrom/RedHat/RPMS/fileutils*

and you continue to do this process for all the files

once you did all this run
passwd root

and set a new root password and disable all shell accounts via
passwd -l username

then go up to init 3

init 3

then run

netstat -taupen -ww

look for any unusual process listening to funny ports with funny names



After that take a look at iptables (or ipchains) and configure yourself a
real tighten firewalls (i.e. DENY all, and open only the ports you need).
Perhaps better: If you got and old PC, put MySQL and SSL-Apache on it, and
install a Intrusion Detection System on it, plug it in your local network
and all the 'bad'-traffic is monitored an logged.
I'm very pleased with snort (http://www.snort.org) and using Demarc as a
tool to analyze everything (http://www.demarc.org).

Good luck!
Pascal




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Jeff Anderson-Lee: "Re: [unisog] MS-SQL Worm?"
Previous message: Rob Keown: "MSLV.exe"
In reply to: Ihsahn Diablo: "RE: Questions = Thanks"
Next in thread: Devdas Bhagat: "Re: Questions = Thanks"
Reply: Devdas Bhagat: "Re: Questions = Thanks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Nov 21 2001 - 15:24:06 PST