know what is okay, and what is not. Some tty3 files, 0 byte character
device, last modified today. A whole bunch of stuff.
Actually, those are fine. fd1h1200 is the /dev/entry for your second
floppy drive (if you had one), and specifies the 5.25", 1.2MB type
(remember those?) The tty ones are for the console ports on your
system. I'm sorry. I should have warned you about /dev...it can look
odd.
Can someone hack into a server through port 25? I don't know if it's
someone targeting me specifically, or if it was just something random. I
secure until I opened port 25 for ftping some files. :(
Certainly they can...especially if you have an older version of wu-ftpd
or permit anonymous FTP access. Your best bet is to NEVER allow telnet
or FTP access. Use ssh instead. ssh gives you a telnet-like _secure_
connection. The daemon also has an sftp _secure_ FTP mode. If you
need to get at FTP from Windows, then do a google search and find a
copy of "putty". It contains Windows-based ssh and sftp clients.
First off, UNPLUG YOUR SYSTEM FROM THE NETWORK, just in case you were
hacked. If you can, get a good copy of "find" or use the installed one
if it hasn't been compromised. Check that your /usr/bin/find program
looks like this (under 8.0):
[root igor root]# ls -l /usr/bin/find
-rwxr-xr-x 1 root root 65119 Jul 3 09:30 /usr/bin/find
If so, then your find is probably uncompromised. In that case, try:
# find / -daystart -mtime -2 -print
This will display any file anywhere on your system that has been
modified in the last 2 days (use a number that predates when you think
you were hacked).
Files such as /var/log/messages, /var/log/utime, etc. will get updated
often, so you don't need to be too suspicious of them, but ones in /etc,
/bin, /usr/bin, /sbin, /usr/sbin and other system-level directories
should NEVER CHANGE. If they have, UNPLUG YOUR SYSTEM FROM THE NETWORK
IMMEDIATELY and either re-install Linux or fix the affected files.
You have been hacked.
I wish I could be more help, but detecting and fixing hacks can be
a very tedious job. As I said, the safest thing is to reinstall
Linux and set up and run something like tripwire to watch any file
changes. NEVER, EVER permit telnet access to your system. Use the
newest wu-ftpd daemon (or use something like proFTP...also free).
Do NOT permit anonymous FTP unless you ABSOLUTELY have to (to disable
it, delete the "ftp" user via "userdel ftp").
If I can be of any more help, please don't hesitate to post to the list
or email me directly.
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer rstevens vitalstream com -
- VitalStream, Inc. http://www.vitalstream.com -
- -
- "Doctor! My brain hurts!" "It will have to come out!" -
----------------------------------------------------------------------
_______________________________________________
Redhat-install-list mailing list
Redhat-install-list redhat com
https://listman.redhat.com/mailman/listinfo/redhat-install-list
To Unsubscribe Go To ABOVE URL or send a message to:
redhat-install-list-request redhat com
Subject: unsubscribe