Operating Systems > Linux and UNIX
loading default keymap failed
dishawjp:
Hi void main!
I guess I'm just special... or lucky... or something! All that I can think is that some 13 yr. old turd found my FTP port open while I was getting files in from my network drive. There were about 25 files I needed and the connection was open for about an hour, but...
Anyway, the reason that I think that it was a virus is that when I ran F-prot, a command line virus utility, it started finding files infected. These included ls, rm, bash, chmod, and many others. Worst was that it was unable to disinfect the files, only delete them. And some it was unable to delete. It did delete a total of 27 or so files. I then was going to switch to the csh to try and clean up bash and hopefully some other infected files that I couldn't get at the first time, and I got a "permission denied" message when trying to run the virus scanner again. And I couldn't do a chmod to it since the chmod command had been infected and... Oh hell, that's when I gave up and started my reinstall.
It does take me a lot of time, but I have a slow old computer (for another week or so) and I do a lot of fumbling around setting up ppp dialer and pap and stuff like that. Also I include in that time things like downloading and reinstalling programs like that apt-get for Red Hat you posted to the list and doing all the updates. With 56k, even if I knew what I was doing, it wouldn't have been a whole lot faster.
Your web page looks really great. I've bookmarked it and will continue to check in on it as it grows.
I was glad to hear that this was an unusual experience. I've been using the internet for about 12 yrs now and this is the first time I've ever gotten nailed like this. I always thought you had to be either stupid or very unlucky to get one of these things. Now I'm ready to consider active virus scanning and firewalls. Stuff I used to laugh about not too long ago.
Have a great Thanksgiving!
Jim
voidmain:
That is a typical example of a break in and the installation of a "root kit". This is not a virus. The AV vendors that are creating software for Linux are looking for root kits along with the few known viruses. If you know what you are doing it is easy to detect a break in and files that are part of a root kit. In fact your system comes with all of these tools. tripwire is great for detecting things that have changed, rpm also can verify the entegrity of your files. It is also possible to clean up from such a break-in if you know how to trace the crackers tracks. I have done this on several occassions.
The important part is to be able to figure out what he exploited and close it up. If you have exposed services I can't emphasize enough the importance of being on the CERT mailing list and keeping your system updated to the absolute lates software and updates (fortunately this is both free and easy in the Linux world). And of course you want to expose the absolute minimal amount of services that you need and use secure services whenever possible.
Also, don't expect that crappy site I set up to grow very rapidly. It's not intended to be a high traffic site. I would have put it on my T-1 if that were the case, which I don't forsee happening.
dishawjp:
Thanks void main,
I'm still awful new at this stuff. The only ports I have open are:
25 (SMTP)
113 (IDENT)
I thought that these were necessary for mail and interacting with othre servers. I'll take a look for the CERT site. I have done all the updates for RH 6.2 (using the apt-get update site you posted) and will look around for firewall and AV programs.
Would a more secure root password have helped, or any other easily implemented measures?
Once again thanks for all your help,
Jim
voidmain:
I would close both of those ports if I were you unless you absolutely need them. Unless you have a DNS domain and are using that machine to receive incoming mail for that domain by having an MX record with that machines address. The easiest way to close them are to turn off the services:
# chkconfig identd off
# service identd stop
# chkconfig sendmail off
# chkconfig sendmail stop
The identd is the stupidest thing anyone ever came up with. Do you really need sendmail running? Do you really need it exposed to the outside world? If Yes to the first question and no to the second question then at least set up firewall rules to only allow access to port 25 from your machines and no others.
dishawjp:
Hi void main,
Gotcha and I will shut both down. Also, I had this afternoon off and did a bit of poking around. I found some info on "ipchains" and am thinking of setting a rule, but am hesitant to do so without a bit of advice.
If I "su - root" and enter the command "/sbin/ipchains -P input DENY" will that provide additional protection, yet still allow me to download files, connect to the internet, and FTP into my work accounts?
I'm just beginning to get a bit of a handle on Linux and don't want to create irreversable messes.
Thanks again,
Jim
==========EDIT===========
Also, will shutting down sendmail prevent me from using Pine or standard UNIX e-mail from my machine? I have them set up as POP from an e-mail account from my ISP. I *could* lose that and if that's the best way to secure the machine, I guess I would.
Jim
[ November 29, 2002: Message edited by: DOSman ]
[ November 29, 2002: Message edited by: DOSman ]
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version