Re: [K12OSN] I got hacked.........

Max Pakhutkin (lists@stumbledot.org)
Tue, 09 Apr 2002 13:10:42 -0500

Messages sorted by: [ date ][ subject ][ author ]
Next message: James "Re: [K12OSN] I got hacked........."
Previous message: James "Re: Re: [K12OSN] I got hacked........."

To add to all the good advice given so far on this topic, the best 
philosophy to assume with regard to security is
1) you will never be totally secure, sooner or later something will get 
compromised. This is actually true, not just a belief.
2) if you want to be secure most of the time you have to be really 
paranoid about it. Not just 'hmm, let's see what the security journal 
advices me to do this month?' but actually constantly thinking about it. 
Things like, first thing you do after su'ing to root is run netstat -nap 
| less and checking for things (that of course, implies that you run 
tripwire every day or more often (on a scheduled basis) to make sure 
netstat hasn't been tinkered with, it also assumes only root can execute 
netstat along with most other network related utilities) and about a 
hundred other things like that at the very least.

A common misconception people seem to have is expecting software to be 
secure. It never is, just like you house never is anywhere close to 
secure. Anyone can kick in your door and walk in. The only thing that 
saves you most of the time is the fact that the incentive to kick in 
your door is dramatically decreased by police activity. Not so on the 
Internet.

To quote the CEO of Intel, "Only the paranoid survive".

Max

Michael Cortes wrote:

>It would appear that someone used SSH to get into my system.  I decided to 
>install sshd and stop telnet'ing because of the security risk, as soon as I do 
>it, someone got in.
>
>Anyhow, here is what I suspect so far:
>
>1. when they got in, they created the user "cgi"
>2. they added "unset HISTFILE" and "unset HISTSAVE" to the root's 
>.bash_profile.  This casused root to not save the history so I couldn't see 
>what was run as root.
>3. logging is not happening.  I have checked my log files and the last entries 
>are about the time I first detected the break in. 
>
>So my questions are:
>
>Did I do right by deleting the cgi user?  Was this user necessary?
>How do I turn on logging back on?  I have no idea where to look.
>What is a good/quick way to tell which users have no password set?
>
>Thank you,
>
>
>
>
>Michael Cortes
>Fort LeBoeuf School District
>34 East 9th Street
>PO Box 810
>Waterford PA 16411-0810
>814.796.4795
>Fax1 814.796.3358
>Fax2 978-389-1258
>
>
>
>_______________________________________________
>K12OSN mailing list
>K12OSN@redhat.com
>https://listman.redhat.com/mailman/listinfo/k12osn
>For more info see 
>
>

_______________________________________________
K12OSN mailing list
K12OSN@redhat.com
https://listman.redhat.com/mailman/listinfo/k12osn
For more info see

Next message: James "Re: [K12OSN] I got hacked........."
Previous message: James "Re: Re: [K12OSN] I got hacked........."