boot force attack help
jeff at neobox.net
Mon Jul 25 15:33:00 MDT 2005
> We are running Fedora Core 3 linux server and it seems that our
> system is running boot force attack on other servers.
Perhaps you mean *brute* force attack? That's where your server is
connecting to random IP addresses and attempting to open login sessions
using a dictionary of usernames and passwords.
How did you determine this is happening? Do you have reports from other
servers on the network? Do you see strange (or lots of) network
traffic originating on the server in question?
> Whats the best way to go about
> and finding out if my system is compromised or not and removing the
> problem if there's one?
If your system is indeed running attacks like this, it's definitely
compromised... I assume you didn't intentionally install any software
to do that. ;)
The best first step would be to simply unplug the ethernet cable and
stop the attacks. Then you can take some time and figure out what
happened (if possible) and what steps you'd like to take to fix it.
There are a lot of varying opinions about what to do once a box has
been cracked, but the general consensus to simply rebuild the entire
system. Since you mentioned that you're new to system administration
and server work, a rebuild is *definitely* the best choice. Only
someone intimately familiar with the system and its software would be
able to track down some of the rootkits that might be installed, and
even then it would be a fairly time-consuming process. Unless there's
a powerful or expensive reason to keep the box intact, wipe it.
After rebuilding the system, plug it back into the net and see what
happens. Hopefully you won't be compromised again, but if so then I'd
say it indicates another problem. Could anyone "outside" guess your
root password? Are there security patches for the FC3 packages that
you haven't installed? Et cetera.
Also, as a side comment, I'd take this as a valuable lesson. You've
been burned, but you can learn from it. If you're going to be
administering systems like this from now on, you'll definitely want to
become familiar with the "best practices" for security, keep on top of
patches offered for the software you're running, and generally do what
you can to learn about the systems you're in charge of so this won't
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
Url : http://plug.org/pipermail/plug/attachments/20050725/8b269776/attachment.bin
More information about the PLUG