15 Sep
1999
15 Sep
'99
14:09
gbruchhaus@makrolog.de wrote:
> today in the early morning I had something like an attack on my linux system
> here. After the attack, I couldn't login as root any more. I found out, that it
> was not possible to set a password in the "shadow password system" any more. I
> can use only the "normal" password mechanism.
> My log-files showed me some hints to the attacker (if it is any):
[...]
>
> How is such an attack possible and more important: how can I prevent such an
> intrusion?
1. Update your open Network services (as imapd, pop3, ftpd etc) regularly
2. Firewall all ports that need not to be used
3. Set up tcpwrappers for the open ports
.....
> I am using a SuSE Linux 5.2 with a 2.0.33 kernel
If you've never updated any packages, then you are vulnerable to many
attacks. You should immediately take the system off the net (if not already
done), make a backup of the complete filesystem for evidence, and reinstall
everything from scratch.
This might have not been the first intrusion, but the first you've noticed
because the cracker was not good. You might have hundreds of people with
root-Backdoors to your server. You should not trust any bit you find on it.
Contact me, if you need further help...
MfG. / Yours
Stefan Salzer
--
Qualität ist nicht was man verspricht,
sondern was man hält!
========================================================================
= Wollen Sie unseren kostenlosen Newsletter "cinNews" beziehen? =
= unter http://news.cin.de können Sie ihn abonnieren! =
= -------------------------------------------------------------------- =
= Stefan Salzer e-Mail: salt@cin.de =
= Connect Internetworking Telefon: +49 6106 8498 0 =
= Hauptstr. 139 Telefax: +49 6106 8498 299 =
= 63110 Rodgau WWW: http://www.cin.de =
= Germany =
========================================================================