On Wed, 2004-09-22 at 16:10, Tim Huffman wrote: > Can anybody point me to some good resources on Linux (especially RedHat) > security? I'm a fairly new admin, and it looks like one of the boxes I'm > taking care of was at least party compromised. > > What's the best way to see how badly the server was compromised? Is > there any way to salvage it, or should I wipe it? > > I appreciate any help you guys can give me. Thanks! > > -Tim You can try running chkrootkit. It may identify specific root kits if they were installed. However if you really suspect the system was compromised the only real way to ever be sure the system is secure again is to do a re-install. Even if the chkrootkit comes back clean a really good hacker might not leave any traces. When you re-install you will want to review your firewall settings on the server as well as at the demark and you should consider installing tripwire. Tripwire can let you know when certain files change on the system. In this case it might produce a list of changed files. And even if you have tripwire and you suspect a system was compromised it is always recommended to re-install the system. -- Scot L. Harris webid@xxxxxxxxxx Blessed are they who Go Around in Circles, for they Shall be Known as Wheels. -- Shrike-list mailing list Shrike-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/shrike-list
