7 Jan
2004
7 Jan
'04
15:39
Manuel Balderrábano wrote:
I guess my mistake was not having all patches aplied, but my serious doubt is: I had a 2.4.23 kernel, so how could the intruder become root after the breakthrough? It is supposed to be the last 2.4 kernel avaliable, could have he used another exploit?
Just because you were running a recent kernel doesn't mean patches for exposed services (apache, mysql, etc) aren't necessary. I would be cautious about transferring any binaries from the old server to the new installation and you might want to reset all old user passwords. It would probably be a good idea to use a package like aide or tripwire regularly and send all critical logs to an external box which alerts you (via email, pager, whatever) of any weird events.