RE: [TCLUG:12807] bad day (more details)

To: tclug-list@mn-linux.org
Subject: RE: [TCLUG:12807] bad day (more details)
From: <Nick.T.Reinking@supervalu.com>
Date: Mon, 24 Jan 2000 15:21:14 -0600 (CST)

I think you'll probably be okay to have a link from your internal to
external servers - but allowing access to your internal servers from
the internet is bad news.  Make sure you don't have any rshing going
on, or trusted hosts.

Nick Reinking

wilson@visi.com, on 01/24/2000 03:21:22 PM
To: tclug-list@mn-linux.org @ PMDF
cc:  
Subject: RE: [TCLUG:12807] bad day (more details)

On Mon, 24 Jan 2000, Eric Hillman wrote:

> On the other hand, from the way your system was trashed, I doubt this was
> the work of a competent individual...  Not that that's probably any
> consolation.

I've looked at the logs, and the only host I don't recognize is
chmls10.mediaone.net (24.128.1.118). Every other mention of an external
host in the logs were from me or some other domainname that I recognize
and can reasonable assume to be innocent.

> However, in case it hasn't been mentioned already, don't, don't, DON'T try
> to repair the damage on this server.  The only way you'll be sure your
> unwelcome guest hasn't left behind some trapdoor into the system is to
> totally wipe the hard drive and start over (backups of non-system files may
> be OK, like your website, or the contents of your FTP site, but you'll want
> to make *very* sure those haven't been tampered with either).  Or, if you
> prefer, get a new set of drives and keep the old ones as evidence.  Changing
> the passwords is *not* enough.  Even restoring from backup may not work if
> the backup was taken after the system was first entered.

I wouldn't dream of trying to repair it, but I do have to restore my
users' data. That's on a tape that was made a couple weeks ago. It seems
my only alternative is to restore those files. Of course, everything else
will be replaced from scratch.

I was actually in the middle of planning to change some things around to
reduce my vulnerability to this. I have an old DEC server that I'd been
using as a print server. I've been planning to move things like DNS and
DHCP to it for awhile.

But let's say I go all the way and completely separate services so that
internal ones (DHCP, print, DNS, etc.) are completely separate from
external (ftp, http). Wouldn't that make it impossible to access my files
on the fileserver from home? That's something that I do now rather
frequently and is a great benefit to me and the rest of the users on the
network. Is it a security/utility tradeoff here?

-Tim

--
Tim Wilson        | Visit Sibley online:         | Check out:
Henry Sibley H.S. | http://www.isd197.k12.mn.us/ | http://www.zope.org/
W. St. Paul, MN   |                              | http://slashdot.org/
wilson@visi.com   |   <dtml-var pithy_quote>     | http://linux.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: tclug-list-unsubscribe@mn-linux.org
For additional commands, e-mail: tclug-list-help@mn-linux.org

Prev by Date: RE: [TCLUG:12807] bad day (more details)
Next by Date: Re: [TCLUG:12831] Issues raised today
Prev by thread: Re: [TCLUG:12807] bad day (more details)
Next by thread: Re: [TCLUG:12807] bad day (more details)
Index(es):
- Date
- Thread