Eris Caffee <mailto:eris-redhat-list@xxxxxxxxxxx> on Saturday, August 20, 2005 12:04 PM said: > The first thing to do is download and run the chkrootkit and rkhunter > programs. It It sounds like you might have a rootkit installed, and > these programs may be able to identify which one you have. I will give them a try thanks. > Honestly, > this information may turn out not to be too useful since you are > already cracked, but you should get these programs anyway and start > running them on a regular basis. They can at least help you to > quickly notice if something like this ever happens again. Thanks. > As for how you were cracked, don't assume that it was through an > unpatched vulnerability. I work for a very large ISP and I see > cracked servers a few times a week and many break ins are done by > exploiting improperly configured security. Yeah that's possible. > For example, check to see > if your /tmp directory is mounted with the noexec and nosuid options. > Just enabling those options can prevent a lot of cracks since many > attacks rely on being able to exploit a weak cgi script to upload a > program into /tmp and run it. It's was pretty much just a default install of RH9. > Good luck! Getting cracked like this is no fun at all and can really > cost money if your business depends on it. Try to use this > opportunity to learn as much as you can about security so you can > prevent this from happening again. Thanks for all the information! Chris. -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
