[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Webserver/Firewall issue...
Thank you very much for your valuable suggestions. I would try to do as you suggested and let you know about the outcomes. Thanks again, Chandra. -----Original Message----- From: Palmer, Kevin [mailto:[email protected]] Sent: Saturday, February 10, 2001 10:47 PM To: 'Mouliswaran, Chandra' Subject: RE: [FW1] Webserver/Firewall issue... Chandra, When one of my servers was hacked I wasn't even able to log in from the console. None of my accounts worked including root. The best I could do was type 'linux single' at the LILO prompt. I have a pretty good idea that I pulled the plug on the server while the unknown hacker was logged in and looking around. After I surveyed the damage I decided the best thing to do would be to back up several text config files then reformat and reload. There was quite a bit of damage once I started looking. I found a root kit, hidden processes, new accounts, a new IRC server in the process of being installed, hidden directories, and nearly clean log files. The server in question was non-production box. This server and several others are now in their own DMZ. Recommendations? Log in at the server if possible. Restart the server and enter "linux single" at the LILO prompt if necessary. Type "cd /" then "cat /etc/passwd". Are there any new accounts? Move your server into a DMZ. There is always a way to make this work. The Know Your Enemy whitepaper series provides a good overview of some common Unix exploits. http://project.honeynet.org/papers/ Is it just me or was there a more detailed version of "Know Your Enemy"? Kevin Palmer -----Original Message----- From: Mouliswaran, Chandra [mailto:[email protected]] Sent: Saturday, February 10, 2001 7:19 PM To: '[email protected]' Subject: [FW1] Webserver/Firewall issue... Importance: High Hi all, We have an Apache web server running on Redhat Linux, hosting one of our websites. Due to some special business critical requirements we are running this outside our firewall. We are experiencing some serious attacks which hangs our webserver application. At this point we are not able to even telnet to the machine hosting the website. Is there a tool, command etc that can be used to identify the nature of attack and get to the root of the problem. Any suggestions/advice for a quick fix? NOTE: The webserver is running outside the firewall and it has to. Thanks & Regards, Chandra. ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|