Re: [TCLUG:12807] bad day (more details)

To: TCLUG <tclug-list@mn-linux.org>
Subject: Re: [TCLUG:12807] bad day (more details)
From: Chris McKinley <lamfada@lugh.net>
Date: Mon, 24 Jan 2000 15:03:34 -0600 (CST)
In-Reply-To: <Pine.GSO.4.10.10001241441100.29959-100000@isis.visi.com>

On Mon, 24 Jan 2000, Timothy Wilson wrote:

> On Mon, 24 Jan 2000, Chris McKinley wrote:
> 
> > it looks like you got 0wn3d by some script kiddie who did not know how to
> > cover their tracks, and just trashed the system instead.  What services
> > were offered from this box, it looks to me like DNS, DHCP, nfs, anything
> > else?  Check the logs for connections on any running service.  If there is
> > an "unusual" connection, or lots of connections, ala SATAN or nmap, that
> > may be your culprit.  Keep backup copies of everything you can,
> > especially logs, as you will need to reinstall from media.
> 
> Crap. The machine was running DNS, DHCP, NFS, Sendmail, Apache, Zope, FTP.
> All the inetd stuff was shut off except for SSH and FTP. Man, now I'm
> angry. I guess I'm going to have to shift into paranoid mode (plus, it's
> kind of embarrassing). I realize that I *should* be running SATAN,
> Tripwire, chroot everything, etc., but it's practically a full-time job to
> keep up. <lightbulb> Hey, maybe that's why some people actually get paid
> to do this! :-)
> 

Hmm, I suppose being a school you do not have the $$$ for a bunch of
dedicated boxen for each of these functions.  At a minimum, I would
separate mail, DNS, web, and NFS, running DNS and NFS on the same system
if necessary.  Perhaps this could be justification for purchasing more
equipment, even i486 or i586 boxes?

-Chris

Prev by Date: Re: [TCLUG:12807] bad day (more details)
Next by Date: Re: [TCLUG:12799] help me find a MUA
Prev by thread: Re: [TCLUG:12807] bad day (more details)
Next by thread: Re: [TCLUG:12807] bad day (more details)
Index(es):
- Date
- Thread