[NTLUG:Discuss] Challenge....
Jack Snodgrass
jack at jacksnodgrass.com
Sat Sep 11 08:48:37 CDT 2004
On Sat, 2004-09-11 at 04:58 -0500, Douglas King wrote:
> OK, I've got a problem. This past week.....I've had a RedHat 7.3 webserver
> shut down every night somewhere between the hours of 1:30 AM and 3:00
> AM. We have checked ALL the scheduled crons, etc. and find nothing that
> would be shutting it down "naturally". The power light on the case remains
> on, but you cannot SSH into it, nor is the machine functional. Log files
> don't indicate a lot to me...although, I did catch a potential hacker 2
> nights ago...but he's since been dealt with.
>
> Where do I look now?
use:
rpm -V -a
to run rpm verify on all of your installed .rpm files.
If a hacker got in ( and you didn't know it ) and replaced
your 'login' or other system file to not show when they
login... then rpm -V -a might show you what files have
been compromised.... maybe... unless they disabled rpm -V
too. Depends on how smart they are...
How secure is your system from the outside world?
Have you run any port scans against it from an outside
connection?
How secure is your system from the inside to the outside
world? Are you 100% sure that a hacker hasn't installed a
program ( could from from any cron task ) that goes from
your box, through a firewall to a remote system and then
lets the hacker tunnel back in? All someone has to do is
have ssh run from your box to some open port ( 80 - web )
and start a reverse tunnel. Once your box has connected
to them, they can come back in though the firewall to
your system.
Does
netstat | egrep "tcp|udp|Proto"
show you any wanky connections?
--
Jack Snodgrass <jack at jacksnodgrass.com>
More information about the Discuss
mailing list