Re: [SLUG] Recovering from mischief

From: Darr Palmer (darr@darrpalmer.com)
Date: Sat Aug 24 2002 - 16:51:59 EDT


I am building a temporary server, loading as we speak. As soon as I have it
on line I will be removing the hard drive from my on line box. Then I will
have a little more time to properly harden it before I put it back out. I
guess the 18 months that it survived out there was a stroke of luck.

I will be running Mandrake Pro-Suite 8.2. If any body has any suggestions or
know of any good checklists for hardening servers please forward the
information. It will be greatly appreciated.

Thanks

Darr Palmer

On Saturday 24 August 2002 11:09 pm, you wrote:
> Darr,
> Looks like you need to remove the hard drive and save as evidence. Get a
> fresh new one and do a complete install. It has been estimated that 12% of
> the boxes on the internet have been taken over by crackers. (not native
> Floridians, but the malicious type) It is probably safe to save your home
> directory and move it to the new install, after combing through it for
> anomalies. Mysteriously missing files is evidence of being cracked.
> But, from now on think: securing the system by tightening directory
> permissions, running only those daemons you need to run, using a firewall
> that lets in only what you want let in.
> Smitty
>
> On Saturday 24 August 2002 03:52, you wrote:
> > Hello again,
> >
> > I posted a thread last week regarding the apparent take over of my server
> > by some external source.
> >
> > Thanks to all for the information on ckrootkit and the like. I ran the
> > tools and it reported many missing files, but no direct hits for being
> > rooted, however I am still unable to explain the events that occurred
> > last weekend to my server.
> >
> > It has been suggested by some that perhaps my local email was being
> > scanned by whatever or whoever it was and they left covering as much as
> > their trail as possible after I sent my request for help. The fact that
> > so many of the services just disappeared and numbers of files that just
> > vanished may lend credibility to that theory.
> >
> > I have managed to restore most of my services, however I am unable to
> > regain full usage of mail, ftp or samba.
> >
> > From the server (Mandrake 8.1) or any of my Linux boxes (RH7.3, Mandrake
> > 8.2, Lindows) I am able to send to internal and external email recipients
> > no problem. However off of my M$ boxes (98, 2K, XP) I get the "No
> > transport provider was available for delivery to this recipient". This
> > error occurs for both local and external email, and happens both when I
> > am connected to the local network, and when I try to email using my
> > account remotely.
> >
> > Samba is working for the public folders, but I am unable to log into my
> > home folders on the server from any of the machines.
> >
> > FTP is working locally, but I am unable to access from outside the local
> > network.
> >
> > On the good side, the new job is great. But I am exhausted from the
> > "maximum effort" period that comes with any new job, and I am sure that I
> > am simply overlooking some simple and obvious settings to restore
> > operation.
> >
> > Any thoughts or ideas would be appreciated, I am strongly considering
> > tearing down the server and starting over, this is not exactly what the
> > Mrs. wants to hear after last weekend.
> >
> >
> > Thanks in advance
> >
> > Darr Palmer
> >
> > "If the computer can only understand 0 and 1, why do I have to know all
> > this other stuff?" PO3 Palmer, US Navy Advanced Electronics School 1974



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 16:57:12 EDT