Re: Strange connection
From: Scot L. Harris (webid_at_cfl.rr.com)
Date: 07/20/05
- Previous message: Justin Zygmont: "RE: install keeps aborting"
- In reply to: Mike McCarty: "Re: Strange connection"
- Next in thread: Mike McCarty: "Re: Strange connection"
- Reply: Mike McCarty: "Re: Strange connection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: For users of Fedora Core releases <fedora-list@redhat.com> Date: Wed, 20 Jul 2005 14:49:23 -0400
On Wed, 2005-07-20 at 14:25, Mike McCarty wrote:
> I'm running FC2 now. I did a netstat and didn't see any connections
> I couldn't account for.
>
> I have set up for FC2 legacy updates, and done a
>
> # yum update
>
> which pulled several packages.
>
> What should I do in order to defend against this sort of attack?
> I'm not familiar with iptables, though I just looked, and it
> didn't look like much was blocked. I don't have awstats, I guess,
> as
>
> $ su -
> # man awstats
> No manual entry for awstats
The first thing to do is evaluate your system to determine what might be
a path into it. Are you running a web server that you have available
from the Internet? If you do then you need to look at all open ports on
your system. Either run a network scan your self from another location
or you can use http://www.grc.com to run shieldsup which will scan your
IP address and let you know which ports are exposed.
If you have any ports exposed examine the service on those ports. HTTP,
SSH, etc should be reviewed to make sure you are up to date on security
patches for those services. Any service you don't need or use should be
disabled and blocked by iptables.
The default iptables should block everything unless you opened any ports
during setup. As the someone in this thread indicated you should take
the additional step of blocking outbound ports on your system except for
those you use. Not many people do this. Many companies do this to
prevent someone from running code that connects from inside the firewall
to an external site.
Run chkrootkit and rkhunter, setup tripwire and review the reports
daily. Monitor your log files and check netstat periodically for
anything strange.
The OP was probably compromised via phpBB, that is known to have various
security holes.
If you are not providing any services to the Internet and have iptables
locked down you should not have much of a problem.
Most linux exploits require some poorly coded application leaving a path
into the system that has a buffer overflow or some other means of
getting code loaded on to the system that can be executed. From there
the hacker gets additional code loaded on the system to either gain
additional privileges via other security holes (packages that have not
had security updates) or simply to setup spam and bot packages to use
the system for their own purposes.
And to check for awstats (I don't think it comes with a man page) run:
find / -name awstats.pl -print
Or in a browser try: http://localhost/cgi-bin/awstats.pl
Assuming that it has been installed in the cgi-bin directory.
-- Scot L. Harris webid@cfl.rr.com God, I ask for patience -- and I want it right now! -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
- Previous message: Justin Zygmont: "RE: install keeps aborting"
- In reply to: Mike McCarty: "Re: Strange connection"
- Next in thread: Mike McCarty: "Re: Strange connection"
- Reply: Mike McCarty: "Re: Strange connection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
