- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - Linux
- >
- Re: Help with the hackers....
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-22-2001 10:18 AM
01-22-2001 10:18 AM
It started about 3 weeks ago. I got hacked into. The system was immediately wiped, disk formatted, etc...
Well on Sunday, I was hacked again. Last time, I had NFS running, and found out the hard way there rpc.statd has many problems in linux. Also, I was allowing ICMP through my router. Since the first hack,
I have removed ICMP from router, removed all NFS, all NIS, etc....The only thing running was LPD, FTPD, HTTPD and telnetd. this is RH7. I also found at least weekly all patches for security and see what it got me?
Anyway, I am so used to SunOS and HP-UX being secure that I am really stumped as to how the dirtbags are getting in?????
Input from pros is greatly appreciated!
Regards,
Shannon
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-22-2001 12:54 PM
01-22-2001 12:54 PM
Re: Help with the hackers....
http://www.thenewbiesarea.f2s.com/texts.html
Another location suggested EEPROM on a network card could be hacked to provide continued access even after a formatted drive and reinstalled OS ... if possible, yuck!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-22-2001 01:02 PM
01-22-2001 01:02 PM
Re: Help with the hackers....
http://www.openna.com/resources/security/hacking_into_linux.htm
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-22-2001 06:16 PM
01-22-2001 06:16 PM
Re: Help with the hackers....
I also tested statdx against RH7 and could not get the root shell. I also tested some of the exploits I found for my version of wu-ftpd. Again, none of them work...
This is why I need some more advanced explenation of how the butt-plugs are getting in...
Shannon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-23-2001 12:13 AM
01-23-2001 12:13 AM
Re: Help with the hackers....
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-23-2001 07:34 AM
01-23-2001 07:34 AM
Re: Help with the hackers....
If you're running a fairly simple website, you should only have 21, 80, and 443 (if you're using SSL) inbound open. Leaving telnet open to the Internet is just begging for people to try to force their way in.
I note the 6.x RedHat had a management plug-in called Pirahna that had a backdoor password implemented if you "install all" of the product. Would have thought that had been resolved with the 7.x release, but you never know.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-23-2001 09:04 AM
01-23-2001 09:04 AM
Re: Help with the hackers....
1. disable all services you dont need on :
/etc/rc.d/rc3.d , /etc/rc.d/rc5.d
/etc/inetd.conf
2. deny access to services you dont need from internet :
/etc/hosts.allow /etc/hosts.deny
3. see :
/etc/hosts.equiv /root/.rhosts
4. use ipchains to close all ports you dont need. Open only ports and protocols you REALY NEED.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-23-2001 10:42 AM
01-23-2001 10:42 AM
Re: Help with the hackers....
The best way to help prevent problems is to find them first yourself, a few ways to do that are:
nmap http://www.insecure.org/nmap/
dsniff http://www.monkey.org/~dugsong/dsniff/
tcpdump http://ee.lbl.gov/
Unfortunatelly intrusion detection is as much an art as it is a science so there's really no quick way to learn it, regardless of what sales reps may tell you :-)
btw, their called crackers not hackers, there IS a difference.
HTH
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-23-2001 10:43 AM
01-23-2001 10:43 AM
Re: Help with the hackers....
Also, make sure Anonymous FTP is turned off and/or the latest update for wu-ftpd is installed. For greater protection, you may want to invest in ProFTPD.
Install SSH and turn off telnet in inetd.conf...many telnet hacks out there.
Kill any r-anything BSD services. If you are on the Internet, you do not want these programs running.
Unfortunately, cheap bandwidth has made finding and cracking computers easier for kids who want to impress their friends by setting up IRC floods and DDoS attacks. make sure you run NMAP on the machine and only have httpd and ssh running to the outside. Anything else, you will need to procede with caution.
Good luck!
Steve
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-23-2001 11:13 AM
01-23-2001 11:13 AM
Re: Help with the hackers....
Just got hacked as well .... remove wuftp-2.6.0 from your server - this is the method of attack.
Hope that helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-23-2001 11:42 AM
01-23-2001 11:42 AM
Re: Help with the hackers....
I'd also bet money that that we'll see other variations that aren't specifically targeting Red Hat systems in the near future.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-24-2001 03:33 AM
01-24-2001 03:33 AM
Re: Help with the hackers....
Strange though that wu-ftpd was patched with the latest by Redhat, and rpc.statd was disabled....
I'll be looking at proftp and perhaps if that fails then just compiling from source wu-ftp.
Last question is how (since redhat does not notify) do I find out about these exploits before I am hacked?
This is twice I have had to dig at getting hacked and finding info in areas other than RH?
Thanks for most of your input!
Shannon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-24-2001 07:40 AM
01-24-2001 07:40 AM
SolutionUnfortunately there isn't one all encompasing security site that I have found. I find that browsing the commercial/government sites as well as the "hacker" sites is about the best compromise. I also keep an eye on alt.os.linux.security since it's active 24/7 with people from around the world posting. Here's some of my main security bookmarks.
http://www.attrition.org/
http://www.sans.org/newlook/home.htm
http://securityportal.com/
http://www.securityfocus.com/
http://www.infowar.com/
http://www.cert.mil/
http://rootshell.com/beta/news.html
http://www.infosyssec.org/
http://xforce.iss.net/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-24-2001 07:47 AM
01-24-2001 07:47 AM