[lug] Ancient RH box hacked, which packages must be updated?

Tkil tkil at scrye.com
Thu Mar 25 17:58:38 MST 2004


>>>>> "Bear" == Bear Giles <bgiles at coyotesong.com> writes:

Bear> My company is in the process of migrating from an ancient RH
Bear> server to a current RHE or Debian box, but in the meanwhile
Bear> somebody has hacked our box.  Does anyone know which packages
Bear> *must* be updated because of known exploits, or should we
Bear> consider it a lost cause and put all of our effort into
Bear> migrating to the new platform?

Bear> I'm not even sure which version of RH we're running - maybe 6?

Bear> BTW, what we're seeing is a rogue process masquerading as
Bear> 'httpd' that sits on port 17900 and a second random high port.

I'll go one further than rebuilding from scratch.  Get a new disk, at
least; preferably, a whole new computer.  Keep the old disk (and maybe
the computer) for forensic purposes.

As the other responder already pointed out, just updating the box
won't help, not in the face of malicious kernel modules, etc.  Disks
are cheap enough that you should just get a new hard drive and install
on that.  As a bonus, you can then inspect the old drive to see what
got compromised, and how.

t.




More information about the LUG mailing list