A system is only as secure as the administrator makes it. Your message is too vague to give you any sort of reasonable answer. For all I know you allowed root to ssh into your box and root had no password, or an easily guessed password. I could keep guessing why someone hacked your box but that would be useless. make sure your box is up to date, you only have the services which you need running on it, you understand the security issues with each service, you have a good security policy in place. If you do nt understand a service, or how to secure it, do not open it up to the wild. Play with it and learn it on a private box and THEN implement it with a good security policy.
Hi again. I just re-installed a SuSE 8.1 and included all patches and updates avaliable, I will now re-install all old services and its contents one by one;I hope nothing else than the system was compromised!
I guess my mistake was not having all patches aplied, but my serious doubt is: I had a 2.4.23 kernel, so how could the intruder become root after the breakthrough? It is supposed to be the last 2.4 kernel avaliable, could have he used another exploit?
Thanks to all for the interest.
El Miércoles, 7 de Enero de 2004 12:32, Manuel Balderrábano escribió:
Hi.
I just got some services (mysql, postfix, cvs...) shut down, took a look at /tmp, and found a miro.tgz and a "miro" executable.
On the executable you can read:
.-= Backdoor made by Mironov =-. .-= Running =-.
I don't know how much this attack may have compromised the system.
Under /var/log/ there are no clues on how they may have entered, /var/log/messages has been deleted.
Directories like /tmp or /var have changed permissions since the attack to 700
Now ssh works really slow unless connected to Internet, and I feel very unconfortable about connecting this server again to the Internet.
The systen is a SuSE 8.1, I had it a little forgotten lately, tough.
Doesn anybody know anything about how they may have entered the system and how can I arrange it? I'm seriously thinking about installing a SuSE 9.0, but want to know what happened before doing anything.
Thaks in advance.
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- -------------------------------------------------------------------------------- - Manuel Balderrábano
e-mail: garibolo@wanadoo.es -------------------------------------------------------------------------------- -
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here