[PLUG] Got hacked last night - HELP!
Sandy Herring
sandy at herring.org
Mon Oct 4 16:04:03 UTC 2004
On Mon, 04 Oct 2004, Bill Thoen wrote:
> Well, lucky me. My RH 8 box got hacked again. That makes Linux just as
> insecure as Windows. The only visible damage (so far) was that my home web
> page got changed to "un-root crew ownz you."
>
> But what happened? There is nobody who should be creating users named
> 'luis' or 'dudu', but here's what I have in /var/log/secure.1:
[...log snipped...]
>
> What else should I check? At the very least how do I keep 63.164.60.12 out
> of my SSH system?
>
> - Bill Thoen
Is your version of SSH uptodate? (what does `ssh -V' output? 3.9p1 is
the latest). If not, get current...
ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/rpm/
(see the README file)
What does your Protocol param in /etc/ssh/sshd_config permit? You should
only allow version 2... `man 5 sshd_config'.
The first thing you need to do is make certain you've closed any holes
in your ssh installation. You can keep unwanted visitors at bay via
tcp_wrappers. e.g.,
/etc/hosts.allow
#insert ip addresses you want to grant access via SSH
sshd: 123.123.0.234 192.168.0.
/etc/hosts.deny
sshd: ALL
This allows access via ssh to 123.123.0.234 and anyone in the
192.168.0/24 (Class C) address space. `man 5 hosts_access' for more.
hth,
Sandy
--
Sandy Herring, RHCE o sandy at herring.org
Peck of Pickled Pisces __ o http://herring.org/
UNIX or Web authoring questions? |\/ o\ o http://herring.org/finger.html
->http://herring.org/techie.html |/\__/ http://herring.org/pub-key.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.pdxlinux.org/pipermail/plug/attachments/20041004/78abfc89/attachment.asc>
More information about the PLUG
mailing list