[ale] I can't seem to plug up all the security holes in mybox...

Jon Uhler juhler at sigins.com
Wed Jun 21 09:41:58 EDT 2000


Don't forget to check for all of those nasty SUID programs.

find / -perm +4000 -print > suid.txt should do it.

Sounds like you need to back up config/important files and rebuild with a known clean install.  Then read everything you can about building a secure system.

Jon

>>> <hirsch at zapmedia.com> 06/21/00 08:33AM >>>
>>>>> "Jim" == Jim Kinney <jkinney at teller.physics.emory.edu> writes:

    Jim> You've got problems!  Start by dropping to single-user mode
    Jim> and from a known good source replace every binary that
    Jim> touches any aspect of networking, login and logging.  Make
    Jim> sure you are using shadow passwords. You also need to do a
    Jim> serity scan for cgi scripts with holes. That is hard
    Jim> work. Try ussing nessus from another machine to probe your
    Jim> system after you bring it back to multiuser mode.

And then change all the passwords.  Lots of root kits put in some sort
of trojaned login command.  That may well be how this guy has broken
in.  He got in once and installed the trojan.  From then on he can
login as anyone who has logged in since.

The time I was cracked I got lucky.  The cracker troganed login, but
the trojan stored the user/password file locally.  I guess the plan
was to come back later and get them, but I got there first.

Best of luck,

-- 
------------------------
Michael D. Hirsch, Ph.D.
Software Developer
zapmedia.com

Phone: 678-420-2722                FAX: 678-420-2839
email: michael.hirsch at zapmedia.com Web: http://www.zapmedia.com 
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list