[lug] Signs of hacking (was ARRG! Change One Little Thing And... HACKED?
David L. Anselmi
anselmi at anselmi.us
Tue Aug 16 17:56:14 MDT 2005
John Hernandez wrote:
> Not good! Those are sniffers and the like. Fire up the 'dozer. Be
> aware that passwords on your network may have been compromised.
Yes, 'dozer.
Also, learn your lesson and keep your box patched (get a good backup
routine first, if necessary). Do they do RH9 security updates anymore?
If not, ditch it. Be paranoid about the code you run and follow a
list that will notify you of holes in it (PHP has a checkered past).
Fix/disable code that's broke quickly (that means network services open
to the Internet but also means any local holes if you let other users on
the box).
John's last point it the most important. Any password typed on that box
has to be changed. Any machine that those passwords opened has to be
checked for compromise. Any private keys on the box have to be changed.
Etc. If you don't get everything the hackers may be back through
other accounts and holes they may have. NCAR went through this last
year (the bad guys owned an Army system that someone used to log in to
NCAR). They didn't have much fun cleaning up but their security and
incident response got much better.
Dave
More information about the LUG
mailing list