Mailinglist Archive: opensuse-security (192 mails)

< Previous Next >
Re: [suse-security] recovering from a possible hack
  • From: Johannes Vieweg <jvg@xxxxxxx>
  • Date: Wed, 10 May 2000 22:38:48 +0200 (CEST)
  • Message-id: <XFMail.000510223848.jvg@xxxxxxx>

On 10-May-00 Chrissy LeMaire wrote:

> We cant find any evidence that the machine
> was actually rooted..

I think, its more secure, if you change all passwords, even the root one.

> I recommended a backup, format, new install of 6.4..
> but the machine has alot of data and it will be really time consuming. I
> reconsidered and thought that since 6.4 will replace practically
> everything..including the kernel and all it worth the format?

My personal opinion is, that you should do the following steps:

1.) close the system, shut down all network link (by software & hardware)
2.) make a backup of the hole system (=> if you want to analyze is later)
3.) reinstall the hole system (don't forget to format)
4.) now, the first thing you should do is, updating and fixing all services
(the kernel and so on) => try to find security fixes!!
5.) enter new passwords, don't use the old one
6.) install the rest of your system (additional software & data)
7.) shut down all unsecure services and useless services (useless for you):

+ telnet => try using ssh (it's crypted by a 768bit key)
+ rsh and so on

It looks, that you've got a lot of work, but I think, it's the most secure way.
At the end, make a portscan of your system (use saint or other software) and
close all ports you don't need.

Johannes Vieweg

P.S.: Sorry bout my bad english.
Key-ID: 0xCA9F07CC
Fingerprint: AA05 1213 6AA3 918C F3AB 922D 4A26 1A41 CA9F 07CC
E-Mail: Johannes Vieweg <jvg@xxxxxxx>
Date: 10-May-00
Time: 21:41:56

< Previous Next >