Try http://www.susesecurity.com/faq/#incident_reporting
with thanks to Boris Lorenz
Greetings:
Last night my oldest (2.2.13) SuSE Linux box was attacked. Ironically, I was shelled in from another machine working on setting up a firewall script on this machine when the attack occurred. I noticed an un usual amount of network traffic and looked over the log files to discover that scanlogd was reporting repeated port scans from 10-15 foreign IPs. I have seen this sort of thing before and was not terribly concerned until text was printed to my terminal console. I then noticed that /etc/motd had been modified and became very concerned. Although a firewall was not running when the attack occurred, most services (except ssh, http, pop3, smtp and ftp) were disabled, tcp wrappers were configured, hosts.deny and hosts.allow were configured, etc. I have been pretty good about updating packages as security announcements were made.
I looked at all recently modified files and ran tripwire but could find very little changes. I believe that a directory was created ("/usr/lol" I think) and /etc/motd was changed. Also, ports were open that I don't recall being open before: 6711 and 31965. I don't know what services use these ports.
I am a Linux security novice and would appreciate feedback regarding 1) how this attack may have been accomplished and 2) what I should do to secure this box. I am working on configuring a firewall script but am afraid I might miss some security flaws created by the attackers.
Any advice would be appreciated.
Thanks.
Chris Quinn
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Viel Spaß Nix - nix@susesecurity.com http://www.susesecurity.com