On Thursday 14 July 2005 23:24, Anderson Miranda wrote: > Heck, gonna have to get a full reinstall over a new machine (my infected > system is still running... slowly, but running... I can't just take the > whole system down and make a fresh install... Gotta do it in a new box > and restore my files from damaged system).. Here are some suggestions about reinstalling your system: - When you do the reinstall, make sure the computer is physically not on the network. That means pull the network cable! - Before putting your computer back on the net, set up iptables so that all connections from outside are dropped. Do not reject because then someone knows your system is there again and will watch it. - After your machine is back on the network, continue using the iptables DROP for all incoming traffic, and specifically allow only the ports you want to allow. In the case of enabling ssh, examine which addresses on the net you will come in from and allow those - it is unlikely you will be accessing from Serbia, Russia, China, or somewhere like that. - If possible, run apache chrooted. Keep only the absolute minimum in the chroot jail for apache to run. - The directory for your htdocs should be mounted on its own partition with the noexec flag set. Anything with cgi's could also be mounted on their own partition read only. - Install and use tripwire or similar. Have it on a partition that is not in the fs tab and is only mounted when it is run, or better still on an nfs mount or external media such as a firewire disk. There, your partitions should be mounted read only to prevent an already successful hacker messing with your tripwire setup. If you need to update the tripwire databases, remount rw for the shortest time possible. - Consider using snort. It's a pain to set up, but can be of great use in preventing such incidents. There are some other considerations, but I can't think of them off hand. Even so, the above list is a good place to start. It does make administration more difficult and time consuming, but on the other hand it also makes life for crackers much more difficult, which reduces the chances your system will be cracked. Script kiddies will fall over flat immediately on such a system. Serious crackers will still have a hard time. There's no such thing as absolute security, except if you don't turn your computer on, but you can make it as secure as possible. Even the University in Bochum Germany had its mail server cracked recently, and that despite them being one of the best there is in things of security. I hope I've been able to give some usefull information here. regards markus --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx