Results 1 to 10 of 14
The Mandriva 2006 server in my lab was hacked twice in three months. The server was then used to hack other servers. I re-installed the OS after first attack. Here ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 11-07-2007 #1
- Join Date
- Oct 2007
Server was hacked and needs to clean up
The Mandriva 2006 server in my lab was hacked twice in three months.
The server was then used to hack other servers.
I re-installed the OS after first attack. Here the attack came again!
If I simply re-install the OS this time there might be a third attack
and installation is time-consuming. Under Windows you can check REG
or use anti-virus software. In my situation what can i do to detect
virus (trojan) and unusual process?
Your suggestion is highly appreciated.
- 11-07-2007 #2
how did you know that it was hacked ? is this server connects directly to the net or it's behind a router ! are you using any firewall on it ? wish are the needed ports to you ?
- 11-07-2007 #3
- Join Date
- Oct 2007
Thanks for your reply.
This server was controlled to attack other servers and consequently i got phone calls .
I am not sure whether it is behind a routre or not but I would guess yes.
I use the 'default' firewall of Mandriva 2006. Only four services were allowed by this firewall, ftpd, httpd, sshd and ping.
- 11-07-2007 #4
this is i can't confirm and i can't detect from where the vulnerability is coming in Mandriva 2006 are you always updating the system and specially the security fixes ? . in order to check hackers activity run this :
- 11-08-2007 #5
I'd highly recommend performing another new install. This time, before putting the box on the network, perform some basic hardening.
Post the results of netstat -ltun here after the fresh install.
Only four services were allowed by this firewall, ftpd, httpd, sshd...
- 11-08-2007 #6
- 11-08-2007 #7
- Join Date
- Nov 2004
The chances are it's through ssh.
- Use stronger passwords,
- Disable root login through ssh
- If possible change the ssh port to something much higher as scripts are almost always run against port 22
- Consider using ssh keys instead of passwords fro ssh authentication
- 11-08-2007 #8Originally Posted by aliov
Second, define "configured correctly". Even heavily hardened services can be cracked via brute force, zero-day exploits, etc.
- 11-08-2007 #9
- 11-08-2007 #10
Ok, you are asking about a hypothetical case (because it sounds to me like OP is running a box with several services wide open to the world). The ease at which it is getting cracked sounds like he has work to do.
Let me put it this way. If:
- All unused services are shut off.
- Shell access is restricted/hardened.
- Packet filtering rules are appropriately set.
- MAC policies are correctly set.
- Suid binaries are disabled or somehow contained.
- Public services are hardened to great extent.
- Physical access is properly controlled.
- (the theme here is that "Everything is denied unless specifically allowed")
- Auditing and logging is in place.
... then I think 99.9% of crackers will move on to a much easier target, unless you've really got something they want. Like anything in life, there is no perfect security solution. But you can increase the odds of protecting yourself so dramatically that you are not a good candidate to be targeted/compromised.