On Sun, Feb 05, 2006 at 04:46:25AM -0500, James Pifer wrote:
On Sun, 2006-02-05 at 10:30 +0100, Ralph Angenendt wrote:
James Pifer wrote:
Besides killing what's running, how do I get this all cleaned up?
Most hackers install multiple backdoors on a system once they get in. Your system has been compromised and you have know way of knowing what executables on your system have been replaced by trojans.
You have only one choice:
You must reformat the hard drive and re-install from the beginning
This is the only way you can be sure that you have removed all the backdoors from the system. Unless you devote a lot of time to figuring out what backdoors might have been installed, and have a lot of expertise to know what you're looking for, you won't be able to be sure that the hackers have been locked out.
Once you have addressed the break-in to your satisfaction, try running a trip wire program like Samhain (http://la-samhna.de/samhain/). It will tell you the details of any changes to system files. Few hackers would have the time and savvy to defeat it though I'm sure it's possible.
There are a variety of countermeasures you can install to prevent future attempts but the general rule is to disable all unnecessary applications. If you don't use sshd to get access from outside: install a firewall and block port 22.
Definitely don't run an ftp server. Use scp if needed.
The hotmail account has been denied logins now. I've also set a new password on the account.
Drop Passwords for SSH completely and use public key based authentification. There, one problem gone.
More on http://sial.org/howto/openssh/publickey-auth/
If you *have* to use passwords somewhere: Don't use weak ones.
Ralph/Ignacio,
Thank you very much for your help!!!! I think it's all cleaned up now. I will look at using public key based auth and disabling ssh passwords.
Thanks again. James
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos