Oh its updated :-). Its an addiction of mine....This time a good one. Checked logs, nthing out of the ordinary, whic. Now is the time for me to change the pop, smtp banners and others too. Maybe make a banner that is a totally different OS? How is that acclomplished? Thanks for everyones insights. Matt On Sunday 28 January 2001 07:38 pm, Michael Chletsos wrote:
Along with all that was said below, a good place to look for compromises is in /var/log/messages This is were your system logs all sorts of things. But if the people who attacked you are good, (just because you are compromised, does not mean that the people are good) they will destroy this information. Look for out of the ordinary things, like weird user logins and wierd sshd attempts or something of that sort. Also, just check your lastlog, they may not have been able to remove their entry from it. I say to check these things, a. because it is a good idea to check on your system and b. if they are sending mail you mail from their domain, it probably means that they are not that good. But it also might mean that josswin is compromised. Another good thing to do is get a good book on security. Sometimes they seem overwhelming, but there are some basic things you need to do if you want to secure a system on the network. Especially if you have a permanent connection (i.e. DSL). And try not to give out too much information about your server. I noticed that you advertise on your website that you are run by Suse 7.0. Which is a great ad for suse, but bad for you. By advertising your distribution, you advertise all known security flaws with it. Especially if you are not use to updating your system.
enjoy, michael
On Mon, 29 Jan 2001, Nix wrote:
Look if someone can break in an replace the sendmail.cf file, it means that you have been compromised in some way to root level. ie. You have been OWNED! Don't take this lightly, you may even want to get the police involved as it IS an offense. Meantime, do not connect your machine to the internet. If this was my machine I would be rebuilding it from CD, and install ALL security patches before connecting it back to the internet. You MUST also use entirely new passwords, and you have to assume that a sniffer as well as a ssh/sshd backdoor has been installed. This means that any machines that you have connected from or to this machine may also be compromised. DO NOT TAKE THIS LIGHTLY. Unless you are SURE that you are better than the people who attacked you, (and No offense intended, but if you were you would not have been broken into in the manner) and know the files on your system intimately AND run something like Tripwire or Aide, then you HAVE to assume the worst.
I spent several days last week tracking an intrusion through a financial institution. (ie. I do this stuff for a living) so please take me seriously...
Regards
Nix
At 02:08 PM 29/01/2001, you wrote:
I will e-mail josswin, as he maybe compromised.
I am using Postfix, what should I look for on the server? Not sure if I have been broken into, but its certainly shaken me up (and its best to assume that I have been compromised, better safe than sorry).
Now checking through Nix's website, nice to have a rescource like that!
Matt
On Sunday 28 January 2001 05:53 pm, Nix wrote:
At 12:40 PM 29/01/2001, you wrote:
Dear All
Here is the contents of that e-mail:
From: FETCHMAIL-DAEMON@josswinn.org To: matthew@psychohorse.com Date: Mon, 29 Jan 2001 07:04:08 +0900
I've been getting these for a few days. Not sure where from ?
On Thursday night at midnight my net facing box was broken into and someone replaced sendmail.cf with another one. What this meant was that when my box downloaded mail it then forwarded ti to many people on the internet. I discovered this and replaced sendmail.cf before any damage was done.
Tonight I was about to reply to this e-mail at about midnight and someone broke in and destroyed my Pine 4.32 mail app. That meant that I couldn't send this mail either.
So, what's going on ? I don't know either.
Mate, Unplug the box from the net. If it has been broken into you don't know what has been compromised Please email me back privately if you need help. I will be contactable for the next 8hrs or so by email. (I am ducking out to grab some lunch now, but will be back in 20min..)
Cheers
--- Nix - nix@susesecurity.com http://www.susesecurity.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--- Nix - nix@susesecurity.com http://www.susesecurity.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com