Re: [GLLUG] meeting idea?

Benjamin Cathey benjamincathey at catheycompany.com
Tue Aug 22 17:55:34 EDT 2006 

>->> > The recent discussion about the putty titlebar gave me an idea.  How about
>->> a "So you've been hacked - how to deal with it" meeting?  Topics like how to
>->> detect you have a problem and what to do about the problem.
>->> > 
>->> > I know this can be a tricky subject.  When I started my new job here the
>->> first thing I had to do was reload the mailserver.  It had been hacked (they
>->> left traces in the .bash_history) and I didn't know what else to do but
>->> reload.  
>->> 
>->> That was the smart course of action (if not brilliant) if that is all 
>->> you knew how to do at the time.  Now that you've had more experience you 
>->> might be able to dig down into the system and trace what actually 
>->> happened before reinstalling the OS and thus you could close off the 
>->> open security hole (could have just been old, buggy software and an 
>->> upgrade to newer [buggy] software closed the open hole - or the security 
>->> hole might still exist in, say, the firewall).


Right, the problem was that there was NO firewall setup.  Ridiculous I know but that is what happens when people who don't really know anything about linux setup a mailserver.  When I started I couldn't believe that they didn't have ANYTHING protecting them.

At that point I did disconnect it from the network.  

Someone was able to guess the password for the root account (i was able to trace quite a bit back.)  From there they installed software on the server which was trying brute force attacks on a specified IP range and then someone was coming in to get the data.  It was scary to look at all that info.  I didn't really know WHO to contact to give the log files to (and all the netstat and other INFO I got.)  I figured SOMEONE should be told it was going on.


-Benjamin

**********************
** LEGAL DISCLAIMER **
**********************

This E-mail message and any attachments may contain legally privileged, confidential or proprietary information. If you are not the intended recipient(s), or the employee or agent responsible for delivery of this message to the intended recipient(s), you are hereby notified that any dissemination, distribution or copying of this E-mail message is strictly prohibited. If you have received this message in error, please immediately notify the sender and delete this E-mail message from your computer.

More information about the linux-user mailing list