boot force attack help

Jeff Schroeder jeff at neobox.net
Mon Jul 25 15:33:00 MDT 2005


Bibhor:

> We are running Fedora Core 3 linux server and it seems that our
> system is running boot force attack on other servers.

Perhaps you mean *brute* force attack?  That's where your server is 
connecting to random IP addresses and attempting to open login sessions 
using a dictionary of usernames and passwords.

How did you determine this is happening?  Do you have reports from other 
servers on the network?  Do you see strange (or lots of) network 
traffic originating on the server in question?

> Whats the best way to go about
> and finding out if my system is compromised or not and removing the
> problem if there's one?

If your system is indeed running attacks like this, it's definitely 
compromised... I assume you didn't intentionally install any software 
to do that. ;)

The best first step would be to simply unplug the ethernet cable and 
stop the attacks.  Then you can take some time and figure out what 
happened (if possible) and what steps you'd like to take to fix it.  
There are a lot of varying opinions about what to do once a box has 
been cracked, but the general consensus to simply rebuild the entire 
system.  Since you mentioned that you're new to system administration 
and server work, a rebuild is *definitely* the best choice.  Only 
someone intimately familiar with the system and its software would be 
able to track down some of the rootkits that might be installed, and 
even then it would be a fairly time-consuming process.  Unless there's 
a powerful or expensive reason to keep the box intact, wipe it.

After rebuilding the system, plug it back into the net and see what 
happens.  Hopefully you won't be compromised again, but if so then I'd 
say it indicates another problem.  Could anyone "outside" guess your 
root password?  Are there security patches for the FC3 packages that 
you haven't installed?  Et cetera.

Also, as a side comment, I'd take this as a valuable lesson.  You've 
been burned, but you can learn from it.  If you're going to be 
administering systems like this from now on, you'll definitely want to 
become familiar with the "best practices" for security, keep on top of 
patches offered for the software you're running, and generally do what 
you can to learn about the systems you're in charge of so this won't 
happen again.

Good luck!

Jeff
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://plug.org/pipermail/plug/attachments/20050725/8b269776/attachment.bin 


More information about the PLUG mailing list