|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
Dev Shed Forums Sponsor:
|
|
Generate data entry and reporting .NET Web apps in minutes, straight from your database. Read our FREE whitepaper Build Web 2.0 Applications Without Hand-Coding Download now! |
|
#1
June 6th, 2002, 06:45 AM
|
|||
|
|||
|
might i have been invade?
i admin one server on internet with only openssh,sftp via openssh , oracle 1521, tomcat, apache , the other ports has been closed by iptable,
however, today i can not connect to this website by sftp, the client said, the protocol do not match any more, it is openssh -1.5-2.9v, anyway, it should been openssh-1.99-2.9v, as it has been worked for a long time. my questiong is : whether i have been invade? or , why the openssh head could change? thanks for your tips; fredkerick
|
|
#2
June 6th, 2002, 03:31 PM
|
|||
|
|||
|
sorry, to hear that.
seems like you have been hacked.  Quote:
did you keep your kernel, ssh and apache / tomcat / oracle up-to-date? Did you check if your iptables config works with nmap/another port scanner from a remote host? And which distribution / version do you use? i am subscribed to the SuSE security mailing list and on March, 07 they had a warning about openssh <3.1 ........ buffer overflow  ...Any sysadmin of a system connected to the īnet should read at least one security mailing list! (rh, suse, independent ones like cert / antionline / rootshell ...) you should shutdown your server, boot from a cd-rom, backup all data to a second harddrive or tape, re-install from scratch and apply all security updates/patches available before you re-connect to the īnet. after this you can analyze the backup data for signs of an intrusion. but todayīs rootkits seldomly leave traces....
__________________
-- Manuel Hirsch - Linux, FreeBSD, programming, administration articles, tutorials and more.
|
|
#3
June 6th, 2002, 09:37 PM
|
|||
|
|||
|
thanks M.Hirsch,
my version is redhat 7.2, the openssh is the version coming with it altogether. may i update for the newest version? moreover, it really work fine for a long time. best regards, frederick
|
|
#4
June 7th, 2002, 03:03 PM
|
|||
|
|||
|
time is the enemy of the security administrator. not hackers.
if you use "outdated" software, itīs just a matter of time till some automatic script scans your machine and finds the security hole. since security holes are published, most programmers could write code to exploit it. of course old software does not cease working by itself (besides ms windows and some other crappy programs). somebody had his hands on it... and: no, you must not update this system, but format the harddrive and re-install. then update. your system could be completely modified so you donīt get the hackerīs files displayed in "ls -la", no hacker-processes running on "top" or "ps axu", ... this all can be done on kernel level so you really have no chance to circumvent it other than reinstalling. he/she replaced your SSH package already (probably with a version that logs passwords, so use new passwords after reinstalling!) hope you have backups... if you make them now, chances are good that the hacker fīd something up already... Last edited by M.Hirsch : June 7th, 2002 at 03:06 PM.
|
|
| Viewing: Dev Shed Forums > Operating Systems > Linux Help > might i have been invade? |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
 |
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
