[TCLUG] Could Someone tell me what might be happening here.

Thu Dec 14 02:02:20 CST 2000

Burn the logs /etc and /tmp to a CD also.  You can always go back through
them.  

However, I got a call from the FBI about 2 months ago asking for the logs
from one of my old machines.  Someone apparently got busted with a list of
IP's that he had compromised and one was mine from my old DSL line.  It was
the ADMROCKS exploit.  I caught it within an hour of the compromise and I
fixed it right away.  Anyway, they were going to prosecute the guy and they
wanted as much evidence as possible.  Apparently, he was setting up a huge
DDoS network.

I learned a very important thing from this though, chroot everything you
can, especially BIND.  

Stock linux installs are pathetically insecure also.  A default Mandrake
install has about 15 tcp ports hanging open, and Red hat is not any better.

Jay

> -----Original Message-----
> From: sos at zjod.net [mailto:sos at zjod.net]
> Sent: Thursday, December 14, 2000 12:51 AM
> To: tclug-list at lists.real-time.com
> Subject: Re: [TCLUG] Could Someone tell me what might be 
> happening here.
> 
> 
> Joseph Johnson wrote:
> > 
> > 
> > 
> > 
> >> Yeah... you've been hacked.
> > Ok so I wipe the drive re install how do prevent it from 
> happening again.
> > Or if I leave it up can I catch whoever is messing around 
> or at least figure
> > out why?
> > Joseph
> 
> Trying to catch these script-kiddies is a waste of time.  
> Chances are they're
> using your box from _another_ hacked box... not directly from 
> where they live.
> Since your original hack-daemon is controlled by a box in 
> Jordan, who are you
> gonna call if you _do_ catch 'em?  In the US, unless you've 
> suffered $10,000
> in damages, the FBI's "National Infrastructure Protection 
> Center Squad"
> doesn't want to talk to you, while your state and local 
> police probably can't
> even spell Linux.
> 
> About your only _secure_ option is to re-install from 
> square-one (remembering
> to also add security updates provided by your Linux distributor).
> 
> To prevent a hacker reinfestation, if your Linux distribution 
> contains an
> automatically configured firewall, install it.  If not, get 
> one (I recommend
> PMFirewall for newbies, see http://www.pointman.org).
> 
> In addition to a firewall, consider obtaining and using:
> 	- tcp-wrappers
> 	- ip-logging 
> 	- shadow logging of system logs
> 	- tripwire
> 	- periodic backups to removable media
> 	- install ssh to replace rcp & telnet
> 	- turning off services you don't need (like rcp, 
> telnet, ftp, ...)
> 
> and if you're still not scared away from Linux, have no life, 
> and like to
> read, consider obtaining (at a list price of $48.99) and 
> reading "Linux System
> Security" by Scott Mann and Ellen L. Mitchell (ISBN 
> 0-13-15807-0, 2000,
> Prentice-Hall).
> 
> Hope this helps'idly,
> 
> -S
> _______________________________________________
> tclug-list mailing list
> tclug-list at lists.real-time.com
> https://mailman.real-time.com/mailman/listinfo/tclug-list
> 