Re: Found, a new rootkit
- From: Gene Heskett <gene.heskett@xxxxxxxxxxx>
- Date: Sat, 01 Apr 2006 12:08:58 -0500
On Friday 31 March 2006 19:29, John Summerfield wrote:
Gene Heskett wrote:
We've cut our bandwidth use in half by getting rid of that. We also
checked the logs and added several dozen more addresses
to /etc/hosts.deny,
That is fairly useless. IP addresses of attackers change as quickly at
IP addressess of spammers, and they have so many it's like trying to
fence off the porn sites of the world.
More important is to discover how the rogue gained entry and to close
that loophole. How did the shell script get there? Whose account was
used? Does .bash_history include useful clues about what was done? Did
the attacker send email after gaining entry? If so, the recipent
domain (eg Yahoo) may be interested.
Root's account, eh? Disallow password-based authentication for root.
Ensure that only those who need it have shell accounts, and that those
have good passwords. _I_ have incoming ssh land on my personal
desktop, there there is only my password to worry about.
root ssh is denied. To do normal maintainance we log in as ourselves &
su -.
--
Cheers, Gene
People having trouble with vz bouncing email to me should add the word
'online' between the 'verizon', and the dot which bypasses vz's
stupid bounce rules. I do use spamassassin too. :-)
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2006 by Maurice Eugene Heskett, all rights reserved.
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
- References:
- Re: Found, a new rootkit
- From: John Summerfield
- Re: Found, a new rootkit
- Prev by Date: Re: Found, a new rootkit
- Next by Date: RE: Software Raid 5 (FC5)
- Previous by thread: Re: Found, a new rootkit
- Next by thread: Re: Found, a new rootkit
- Index(es):
Relevant Pages
|
