Mailinglist Archive: opensuse (3637 mails)

< Previous Next >
Re: [SLE] hacked?
  • From: James Oakley <joakley@xxxxxxxxxxxxxxx>
  • Date: Wed, 2 May 2001 15:52:59 -0300
  • Message-id: <200105021853.f42Ir4j21880@xxxxxxxxxxxxxxxxxxxxx>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On May 2, 2001 11:30 am, elicker@xxxxxxxxx wrote:
> I never bothered to look /var/log/messages file until now.
>
> Just by curiosity I was browsing the file and I see the excerpt that
> follows.
>
> It seems that someone at 200.204.201.138 was trying to break in into my
> computer.
>
> My box is a minimal SuSE 6.4 with KDE2, apache and samba added. No
> special security measures was taken.
>
> As I know nothing about security I am looking for some advice.
>
> Does this guy at 200.204.201.138 succeed? Was I hacked?
>
> What is "popper"? AFAIK there is nothing in my box with this name.

popper is for pop3 connections. It is called from inetd.

Here is how I handle security. I feel relatively safe with this setup.

- - - All mail to root is forwarded to me (very important and useful). Simply
place a file called '.forward' in '/root' containing the email address you
want messages forwarded to

- - - The SuSE security scripts are installed and run every night. They are
extremely thorough and will probably catch about 90%+ of all the
skript-kiddiez out there someway or another as long as you read and
understand the reports. They all assume that Linux == RedHat, hehheh

- - - Scanlogd is installed and running. I grep messages for scanlogd every
once
in a while.

- - - SuSEFirewall is running. I only let in ports that are absolutely
necessary.
Even though I have a mail server, the pop and IMAP ports are firewalled. I
have Kmail set up to tunnel mail over SSH (I can explain that in more detail
if anyone wishes). Open ports: http, domain (udp), smtp. I set up "trusted
hosts" to the time server I use and allow time connections from it (required
for ntp to work properly)

- - - I am subscribed to the suse-security mailing list and I check every
advisory

- - - I run the YaST Online Updater at least every week (7.1 only,
unfortunately)

- - - I have disabled anything I don't use in /etc/inetd.conf

- - - Remember that 'passwords' are inappropriately named. You should never use
a
word for one. Mix letters and numbers and make them such that they cannot be
easily guessed by software with a dictionary

- - - Only install trusted RPM files and avoid installing programs from
tarballs.
If your trusted source (SuSE) does not have that package in RPM, create one.
This gives you the ability to 'verify' that programs have not been messed with

If you suspect that someone has messed with you, you can check a number of
things. Here's what I would do, in order:

- - - type 'rpm -V psutils' and pray that it outputs nothing. If it spits
filenames at you, the box probably has a rootkit installed and you should
immediately back up your data and reinstall

- - - Verify some other packages the same way as above: bash and nkitb,
especially

- - - Type 'ps aux | less' and check that every process should be there and
verify the package the program is contained in. For example, if you see
'httpd' you can 'rpm -V `which httpd`' or the full path as seen in the ps
output

- - - If you're really paranoid, verify every single package on your system. I
have done this a couple of times and it is a security procedure I recommended
where I work when we suspect that something is awry. The scary part is, I'm
not the most paranoid one here...

- - - Look around my filesystem with 'mc.' Some rootkits modify 'ls' to hide
themselves and mc is just faster. Look for any directories that begin with
'.' The SuSE security scripts do a good job of reporting strange behaviour
but nothing replaces looking around yourself if the scripts turn up something
strange.

Sounds like a mess of work, doesn't it? Note that if you protect yourself in
the beginning you can save yourself from a ton of work in the end. I rarely
have to go through the second list these days but I verify psutils from time
to time.

- - --
James Oakley
Engineering - SolutionInc Ltd.
joakley@xxxxxxxxxxxxxxx
http://www.solutioninc.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE68FeL+FOexA3koIgRAkeaAJ0RLWYz6CCjgLEsdF8KZoiU9MDvPgCdHHFP
DFEybS8G0aqqJKu9GYyYMM8=
=dLRy
-----END PGP SIGNATURE-----

< Previous Next >
Follow Ups
References