Re: Was I hacked?: webmin note

Subject: Re: Was I hacked?: webmin note
From: Michael A. Peters (Moonglue@141.com )
Date: Thu Aug 17 2000 - 21:05:52 MDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Chuq Von Rospach: "Re: Was I hacked?"
• Previous message: John: "G4 install w/Yamaha 8424EZ"
• In reply to: Israel Alvarez: "Was I hacked?"
• Next in thread: Howard Shere: "Re: Was I hacked?: webmin note"
• Reply: Michael A. Peters: "Re: Was I hacked?: webmin note"

>When I telnetted into my YDL server this morning, I was greeted by this:
>
>"Last login: Wed Aug 16 11:31:58 from
>ip-64-63-37-99.reverse.mobilenetics.com"

use ssh.

With the recent webmin discussion, its only proper that i point out
that unless you installed the ssl perl module and are connecting to
webmin via https, its also a security hazard for the same reason- the
user and password for webmin are broadcast plain text (its fine,
though, if you only connect to webmin via 127.0.0.1). In order to use
webmin securely, install the ssl perl module, and set up webmin to
use it.

-=-

This is less of an issue with ppc users, as most kitties are from
x86- but its still an issue (particularly if you have a compiler
installed, as most people do). When a kittie roots a machine, they
frequently install modified utilities such as ls and ps. Its really a
good idea to have cron running a check once a minute to verify that
the md5 checksum of certain binaries hasn't changed. You can make
scripts that check the checksums once a minute of key binaries (and
text files) or you can download some premade scripts that do it.

I prefer brew your own, as it may be a little less obvious to the
kitty that its happening. But if you aren't good at scripting, the
kits are better than nothing.

I think you can find the kits at securityfocus.com

Generally upon a checksum failure, you want the script to send an
e-mail (or coded page if its not an email pager) to your pocket
pager. If you don't have a pocket pager with that capability, you can
send it instead to a user account on a different machine that you
check frequently.

rpm also has verify the integrity of packages- but you will want to
keep a copy of the rpm database on CD or some other non-mounted
media, as rpm database can be spoofed.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Michael A. Peters-- http://24.5.29.77/Linux_Pages/
                                http://www.omnilinux.com/
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
  

• Next message: Chuq Von Rospach: "Re: Was I hacked?"
• Previous message: John: "G4 install w/Yamaha 8424EZ"
• In reply to: Israel Alvarez: "Was I hacked?"
• Next in thread: Howard Shere: "Re: Was I hacked?: webmin note"
• Reply: Michael A. Peters: "Re: Was I hacked?: webmin note"

This archive was generated by hypermail 2a24 : Thu Aug 17 2000 - 21:12:13 MDT