Help... I've been hacked!

[Janicki at ia-inc.com (Chris Janicki)]

Dave, Scott, Tom, Derek,

Thanks for all the advice, although none of the content was as pleasant 
as I was hoping for.  :-(  

I decided to take a small risk and tar up a lot of my changes (custom 
apache and tomcat compilations, my custom apps, etc.) before using the 
RedHat 6.2 reformat/recovery disk.  They look clean and will save me 
about 12 hours.  (I'll let you know if I'm sadly mistaken.)  

Now I've got a decision to make... Penguin didn't ship the RedHat 6.2 box 
set with the original machine, so now they're shipping me RedHat 7.0.  
Here are my two concerns:

1. If I upgrade to 7.0, will I have any problem with my pre-compiled apps 
I'm copying from 6.2?

2. If I stick with 6.2, I can't activate my RedHat support account since 
I don't have a product ID, and Penguin says they have no more copies to 
give me.  (Without the support account, I can't use the ftp or RedHat 
Network update features... downloading 100+ security patches via my web 
browser will suck.)

Any advice?

Thanks,
Chris

>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<

On 3/27/01, 1:12:36 PM, Derek Martin <ddm at mclinux.com> wrote regarding Re: 
Help... I've been hacked!:


> On Tue, 27 Mar 2001, Chris Janicki wrote:

> > Hi, I'm brand new to Linux, although I know Solaris.  I was working on my
> > brand new Red Hat 6.2 Linux machine (soon to be my web server, email
> > server, etc.) when I noticed an email returned to root.  It was from

> If you're going to use a Linux machine for those purposes, the absolute
> first thing you must do (immediately after installing RH on it) is
> download all the updates from Red Hat's FTP site or a mirror, and upgrade
> what you have installed.

> The absolute second thing that you must do is learn how to configure your
> system to be a firewall, and do it.  Only then should you even think 
about
> running services from this machine.

> After you do those things, the third thing that you absolutely must do is
> turn off all services that you do not absolutely need.

> The fourth thing you must do is spend time on configuring the services
> that you NEED to run, so that you have made them as safe and secure as 
you
> possibly can.  Limit access to those services as much as possible, 
through
> both configuration of the services, and configuration of your firewall 
and
> other mechanisms (like TCP wrappers), where appropriate.

> Finally, you must keep up-to-date on security announcements and patches
> for your software.  The system security mantra is "Security is a process,
> not a product."  You are NEVER DONE!


> > Yahoo, saying that the destination's email box was full.  The subject of
> > the email was my IP address! Knowing that I hadn't sent any email, I did
> > 'grep yahoo /bin/*' and found that email address in login, ps, ls, and
> > netstat.  I've been hacked, right?!

> Yup, sounds like you were probably the victim of the Lion Worm.  Time to
> re-install.  THERE IS NO OTHER WAY!  Once your system has been
> compromised, the only sure way to recover is to wipe it clean and install
> fresh.  Whereas this was a new machine, this probably won't be too big a
> deal for you, as you probably don't have much there that you can't live
> without.


> > 1) What can I do to replace those files?  I spent many hours configuring
> > box, so I don't want to start from scratch.

> If you want to be a responsible Netizen, you MUST start from
> scratch.  Otherwise, you can not guarantee that you have completely
> cleaned the box and not left behind back doors that were installed by the
> worm.  Intrusion Detection Systems such as tripwire (www.tripwire.com) 
can
> HELP identify what has been damaged, but a talented and determined
> attacker can defeat virtually any security measure, given enough time.


> > 3) Is there any particular hole in RedHat 6.2 that I need to address.
> > (It was preconfigured on the machine I bought from Penguin, in December.)

> Several.  The two most commonly exploited holes at the moment are the
> statd buffer overflow and various named exploits.  You MUST get the
> security updates from Red Hat for these problems.  But there are others
> too.  See the support area of Red Hat's website and look at the security
> updates.  Install them all.

> For more information on the Lion Worm, see this link to an announcement
> from the good people at GIAC, on the SANS website:

>   http://www.sans.org/y2k/lion.htm


> --
> Derek Martin
> Senior System Administrator
> Mission Critical Linux
> martin at MissionCriticalLinux.com

> -
> Subcription/unsubscription/info requests: send e-mail with
> "subscribe", "unsubscribe", or "info" on the first line of the
> message body to discuss-request at blu.org (Subject line is ignored).
-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).