- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - Linux
- >
- Re: Hacking attack
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-14-2004 12:39 AM
12-14-2004 12:39 AM
Hi. I suspect a hacking attack on my Fedora2 server. I get segmentation fault on commands like ls and su. Is there a way of verifying the presence of an attack or a root kit?
And how did they get in? There are loads of services like telnet and Samba enabled on the server, but on the outside the firewall only SSH (tcp port 22), Apache web server (tcp port 80), Tomcat (tcp port 8080) and Postfix SMTP (tcp port 25) are exposed. What do I need to tighten?
Is there a remedy somewhere or am I looking at burning the midnight oil with a fresh install?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-14-2004 12:54 AM
12-14-2004 12:54 AM
Re: Hacking attack
After it you may :
- go to security sites or take some book and learn about next steps - a long way
- a short way - run "rpm -Va" for verify system integrity - you will receive a list of changed programs/files.
In addition you can search&download&run utilities for rootkit detections.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-14-2004 01:17 AM
12-14-2004 01:17 AM
SolutionChange the firewall configuration.
Block all protocols. Don't allow telent at all. If possible don't allow ftp. These two protocols use clear text authentication.
Test your firewall with the telnet hostname 78 (tests port 78).
Common current attacks:
Port 25 scripting to relay spam - watch /var/log/maillog
CGI script abuse. Use a formmail form to relay spam. watch maillog and access and error log for the webv server
Take a look at /etc/passwd Look for additional accounts added, especially uid zero accounts. If you find any of these, take the machine off the network.
I would suggest running Bastille security hardening on the box.
If you feel the box is compromised, back up your data and do a complete new OS install. Fedora Core 3 is now out.
Please post details of the actual attack for further assistance.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-14-2004 01:44 AM
12-14-2004 01:44 AM
Re: Hacking attack
YESSS VIRUS. try panda software for linux.
I think that panda is free trail :)
Tell me after that :))
trq to verify your rpm using
rpm -v
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-16-2004 01:38 AM
12-16-2004 01:38 AM
Re: Hacking attack
I've caught and thwarted several SSH exploit attempts..
It reports failure and successful logins..
Check CERT for any vulnerabilities for your aforementioned packages and Patch, Patch, Patch!!
Make sure SSH is current and you define a decent password policy. NO all, Alpha or Numeric, use a combination of Alpha, Numeric, and other such as (Some of these may act as escape shutdown any protocol with a login that throws a clear text login, telnet, ftp. If you need http or ftp logins use https or sftp or scp