PHWinfo - Afficher un message

30/10/2006, 18h48

sdonnet@ddo-org.com wrote:

> > > > Reformat and reinstall operating system from original media, apply all
> > > > updates before opening any internet facing service.
> > > >
>
> Thanks for all your advices.
>
> I already have desinstalled openssh-server. I sitll cannot deinstall
> openssh and openssh-clients due to dependencies.
>
> As I cannot stop the server, because it is on production, my only
> solution is to install a new fresh one, transfer the data (it is a mail
> server), and reinstall+format the first one, and transfer back.
>
> I think I'll be busy on next week...

This is nowhere near enough. The cracker may have every password from
that system, including sudo passwords or root or SSH keys that are
stored locally, especially those without passphrases. They've been into
the system: even if the rest of the binaries are not corrupted, the
SSHD the cracker installed was doubtless sniffing passwords, and many
old tools such as CVS or many Subversiion clients store passwords
locally in clear text.

You're due for a *LOT* of work. This is a good time to hop from RHEL
3.x to RHEL 4.x or CentOS 4.x, and pursuing it as a policy to prevent
future such cracks.

30/10/2006, 18h48	#19
Nico Messages: n/a Hébergeur:	Re: Hacker on my system ? sdonnet@ddo-org.com wrote: > > > > Reformat and reinstall operating system from original media, apply all > > > > updates before opening any internet facing service. > > > > > > Thanks for all your advices. > > I already have desinstalled openssh-server. I sitll cannot deinstall > openssh and openssh-clients due to dependencies. > > As I cannot stop the server, because it is on production, my only > solution is to install a new fresh one, transfer the data (it is a mail > server), and reinstall+format the first one, and transfer back. > > I think I'll be busy on next week... This is nowhere near enough. The cracker may have every password from that system, including sudo passwords or root or SSH keys that are stored locally, especially those without passphrases. They've been into the system: even if the rest of the binaries are not corrupted, the SSHD the cracker installed was doubtless sniffing passwords, and many old tools such as CVS or many Subversiion clients store passwords locally in clear text. You're due for a LOT of work. This is a good time to hop from RHEL 3.x to RHEL 4.x or CentOS 4.x, and pursuing it as a policy to prevent future such cracks.