[lug] Signs of hacking (was ARRG! Change One Little Thing And... HACKED?

David L. Anselmi anselmi at anselmi.us
Tue Aug 16 17:56:14 MDT 2005


John Hernandez wrote:
> Not good!  Those are sniffers and the like.  Fire up the 'dozer.  Be
> aware that passwords on your network may have been compromised.

Yes, 'dozer.

Also, learn your lesson and keep your box patched (get a good backup 
routine first, if necessary).  Do they do RH9 security updates anymore? 
  If not, ditch it.  Be paranoid about the code you run and follow a 
list that will notify you of holes in it (PHP has a checkered past). 
Fix/disable code that's broke quickly (that means network services open 
to the Internet but also means any local holes if you let other users on 
the box).

John's last point it the most important.  Any password typed on that box 
has to be changed.  Any machine that those passwords opened has to be 
checked for compromise.  Any private keys on the box have to be changed. 
  Etc.  If you don't get everything the hackers may be back through 
other accounts and holes they may have.  NCAR went through this last 
year (the bad guys owned an Army system that someone used to log in to 
NCAR).  They didn't have much fun cleaning up but their security and 
incident response got much better.

Dave



More information about the LUG mailing list