Unfortunately, I have 100+ users, my server is mail and web server, so it is impossible to just disconnect it and install from scratch. Besides, all security pathes were allready applied, so this will not help me, or I am mistaken? Any other suggestions? Thanks, Antun ------------------------------------------- Antun Balaz http://www.phy.bg.ac.yu/~antun/ Institute of Physics, Belgrade Serbia and Montenegro http://www.phy.bg.ac.yu/ ------------------------------------------- On Mon, 24 Nov 2003, Togan Muftuoglu wrote:

* Antun Balaz; on 24 Nov, 2003 wrote:

...

Hi to all, it seems that I have a serious problem, although I updated my SuSE 8.1 server quite recently (all security updates were applied).

I have two questions:

1) What to do right now to prevent any misconduct of my server?

Immediately disconnect the machine from the Internet

...

2) How to clean up the server?

Make a clean install from scratch and make sure before putting it back to the net all patches are applied either use fou4suse or YOU to automate the process.

HTH --

Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://susefaq.sf.net

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

Dear Togan, I install security paches routinely every week. Can you give me more details how to check if my server is afftected in any way (I deleted content of /tmp directory and applied all measures suggested by Bjorn - thanks a lot), i.e. if some files are replaced etc. Thanks, Antun Balaz Institute of Physics, Belgrade Serbia and Montenegro

Do you routinely install security patches or did you recently applied the patches

...

Any other suggestions?

1) Backup your data ( unless you were not doing that before) 2) carefully check your data 3) check the machine with rootkit

pls. send replies to the mailinglist do not put me in TO or CC or BCC

--

Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://susefaq.sf.net

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

Thanks to all. By the way, searching the Internet (by Google) looking for rootkit that was used on my machine, I found this site http://www.hackemate.com.ar/ which is full of useful material for hackers. Can we do something about it? Best regards, Antun Balaz Institute of Physics, Belgrade Serbia and Montenegro On Mon, 24 Nov 2003, Markus Gaugusch wrote:

On Nov 24, Antun Balaz wrote:

...

I install security paches routinely every week. I think you could save more time, if you did an upgrade to a newer distribution. Harddisks are not so expensive any more, I usually buy a new harddisk if I update a system, install everything there, copy configuration, check everything and swap harddisk.

Using a stone-old distribution will cost 10x more effort than updating every 2 years to the latest SuSE (especially because 9.0 is on ftp servers now, you can get it for free ;-)

Markus

-- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \ Linux 2.4.21-99-athlon

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

On Monday 24 November 2003 15:16, David Smith wrote:

On Monday 24 November 2003 16:37, Antun Balaz wrote:

...

Thanks to all. By the way, searching the Internet (by Google) looking for rootkit that was used on my machine, I found this site

http://www.hackemate.com.ar/

which is full of useful material for hackers. Can we do something about it?

However, whether you can/should do is another question. They are not necessarily the people actually cracking your machine, and the issues of "free speech" may come in to play here. A lot of the parts of Linux could be used as cracking tools; should all Linux download sites be taken offline?

There was a good article on that site about rootkits: http://www.hackemate.com.ar/textos/papers/BUANZO-Detecting_and_Understanding... That the original poster might benefit from, if inclined to utilize the site returned from google as being pertinent. In the security community in general, there is a general reliance on an open security model, as opposed to "security through obscurity". I don't think it is healthy to take down the sites you can so easily find (like this one) -- they aren't the problem; there's a million sites out there you can't find so easily. --r dorothy@oz:~> ls scarecrow tinman lion dorothy@oz:~> find . -name home There's no place like home.

Dear Linuxfriends, Am Montag, 24. November 2003 17:42 schrieb Dieter Kirchner:

U might use "lsattr / |less" first, look for files with flag "a u i" set (these are 99% infected). I studied man chattr: #When a file with the `u' attribute set is deleted, its contents are saved. But where are they saved? #This allows the user to ask for its undeletion. Where should I ask? ;-)

chattr is for ext2 I use ext3, the file protected with u can be deleted. Does chattr work only with ext2, it should work with ext3? Or is nor still implemented? Thank you ... -- # MfG Michael Maldener + Das beste Linux ist die Pluralitaet aller Linuxica ;)