Hello Matthias, Thks for the advice. In this case it was a home server indeed, but I will check on honeynet later today, because I also have built servers for a few small companies. Now these are not directly connected to the Internet, like my machine is, so risk is little lower I think, but of course it is necessary to keep these machines up to date. So for me this is a good learning experience, and I will dig in deeper coming days. Server in the meantime is upgraded to Suse 7.2 with latest openssh, installed chkrootkit, seccheck and some more monitoring tools. Leen At 13:31 22-2-2002 +0100, you wrote:
Hi Leen, since your question was somedays ago, this is probably not more an issue for you. But I think, the further actions depend on the context. If the hacked system is part of a small private home LAN reinstalling the system with the latest Software could be sufficient. If the machine is part of a corporate lan you should consider further investigations. There are some good articles in the german "Linux Magazin" which discuss what to do. The hacker could have started some sniffers and gathered some important password, i.e. for your public ftp server aso. Probably the hacker harmed your company and your company will hold the hacker responsible for the damage, you should look for evidence then. In either case http://project.honeynet.org is a pretty good source for information. Nevertheless IMHO it is pretty dangerous just to replace some corrupted files without an precise analysis, since there are some rootkits which contain kernel loadable modules. These modules try to hide the existence of corrupted files and additional running processes (see latest issue of magazin c't). So you even just think your files are okay ?
regards Matthias Brocks <<SNIP>>
participants (1)
-
Leen de Braal