Very Computer

I'm using the operating System Linux  - RedHat9
I'm totally a newbie in linux-security and that's why I've got a Problem:
A month ago, I got hacked by someone 3 times!
I always had to reinstall my distribution for security reasons.
Poeple in groups.google suggested to do so after a successful hack.
I changed the _standard known_ portnumbers and I denied the access for all
incoming internet connections to the ports 0-1024 and mysql per protocol tcp
and udp in my ipchains.
Is that enough or - what should else should I do to prevent him/her from
hacking into my computer again (and it would be nice if i could trace him
back  and do something about it)
Any suggestions?

RD> Hello anyone,
RD>
RD> I'm using the operating System Linux  - RedHat9
RD> I'm totally a newbie in linux-security and that's why I've got a Problem:
RD> A month ago, I got hacked by someone 3 times!
RD> I always had to reinstall my distribution for security reasons.
RD> Poeple in groups.google suggested to do so after a successful hack.
RD> I changed the _standard known_ portnumbers and I denied the access for all
RD> incoming internet connections to the ports 0-1024 and mysql per protocol tcp
RD> and udp in my ipchains.
RD> Is that enough or - what should else should I do to prevent him/her from
RD> hacking into my computer again (and it would be nice if i could trace him
RD> back  and do something about it)
RD> Any suggestions?

Keep your soft up-today. And read Security News for your's RH Linux.

--
Biomechanical Artificial Sabotage Humanoid

Then, don't change the port numbers of services; security through
obscurity was never supposed to work.

Use iptables to close all ports incoming, and only allow those
outgoing that you need (http/https/ftp/ssh, I guess).

Do not run any services that you don't use.

Make the services you decide to use listen only to the internal
interface.

Run an intrusion detection system like snort to get a couple of
points what is going on in your network.

Choose your system passwords carefully (your username backwars
is not a very secure password).

Use up2date to update your system regularly.

This should keep you quite safe :)
Peace,
Georg

You already got good advice but there is more:

Make sure you actually got cracked, and didn't just run a trojan of some
sort. To avoid trojans: Don't run any {script,Makefile,programs,anything
else executable} from an untrusted source without lookin over it first,
and certainly don't run it as root.

hth
NPV

Quote:> I'm using the operating System Linux  - RedHat9
> I'm totally a newbie in linux-security and that's why I've got a
> Problem: A month ago, I got hacked by someone 3 times!

Quote:> I always had to reinstall my distribution for security reasons.
> Poeple in groups.google suggested to do so after a successful hack.
> I changed the _standard known_ portnumbers and I denied the access for
> all incoming internet connections to the ports 0-1024 and mysql per
> protocol tcp and udp in my ipchains.

Khay.

ps:
He/She cracked (thanks for teaching me the difference) my Computer trough an
open Port, I don't know which one.
I noticed that hacker because he/she made _one_ mistake: He/She forgot to
delete the data in the /tmp folder where I found his evil scripts that
he/she executed -> One Script for example was for moving the logfiles into
/dev/null and lots of other stuff.

pps:
Sorry I don't use ipchains. I wrote it I know, but that was wrong -> I'm
using iptables.
I don't know much about the difference, but iptables is newer, right? (and I
guess better)

Quote:> Hello anyone,

> I'm using the operating System Linux  - RedHat9
> I'm totally a newbie in linux-security and that's why I've got a Problem:
> A month ago, I got hacked by someone 3 times!
> I always had to reinstall my distribution for security reasons.
> Poeple in groups.google suggested to do so after a successful hack.
> I changed the _standard known_ portnumbers and I denied the access for all
> incoming internet connections to the ports 0-1024 and mysql per protocol
tcp
> and udp in my ipchains.
> Is that enough or - what should else should I do to prevent him/her from
> hacking into my computer again (and it would be nice if i could trace him
> back  and do something about it)
> Any suggestions?

Quote:> Ok, thank you very much everyone!
> These advices are very useful to me
> - I'll always look for updates for this linux-distribution
> - Scanning my ports for any security holes from outside.

Quote:> ps:
> He/She cracked (thanks for teaching me the difference) my Computer
> trough an open Port, I don't know which one.

Take a look at "netstat -tupan" - it will show which services are
listening to the internet, if nothing is listening then nothing can be
"hacked", atleast not remotely.

Quote:> I noticed that hacker because he/she made _one_ mistake: He/She forgot
> to delete the data in the /tmp folder where I found his evil scripts
> that he/she executed -> One Script for example was for moving the
> logfiles into /dev/null and lots of other stuff.

Quote:> Sorry I don't use ipchains. I wrote it I know, but that was wrong ->
> I'm using iptables.
> I don't know much about the difference, but iptables is newer, right?
> (and I guess better)

Good luck!

Khay.

]Hello anyone,

]I'm using the operating System Linux  - RedHat9
]I'm totally a newbie in linux-security and that's why I've got a Problem:
]A month ago, I got hacked by someone 3 times!
]I always had to reinstall my distribution for security reasons.

Yes. Was it a complete reinstall?
If not you also need to use the new find to search through the stuff you
did not reinstall for suid files.
Also you have to change all passwords.
And install allof the security updates.
And make sure that things you do not use (ftp, http,etc) are not enabled
in xinetd of /etc/rc?.d

]Poeple in groups.google suggested to do so after a successful hack.
]I changed the _standard known_ portnumbers and I denied the access for all
]incoming internet connections to the ports 0-1024 and mysql per protocol tcp
]and udp in my ipchains.
]Is that enough or - what should else should I do to prevent him/her from
]hacking into my computer again (and it would be nice if i could trace him
]back  and do something about it)
]Any suggestions?

]>
]> Have you installed all the security patches before exposing it to the
]> Net? Did you change *all* your passwords? How did they hack you?
]>
]- No, I haven't, but I will do it as soon as possible
]- Of Course I changed all standard-password into non-standard passwords

What standard passwords? There are none. ALL passwords of all users on
the system need to change their passwords, including root.

]- They hacked me (read text above)

Yes, he asked how. What was the evidence you have that you were hacked?

So, listen to the others asking "are you sure?"

HTH,

Doug.
--
Linux: in a world without fences, who needs Gates?

Which services are you running? All of them, not just the ones active today!

If you reinstall everything just the same way as before, you will also
reinstall the same hole that the attacker used last time.

/lindq

--
Remove the Fnurt to reply.
--
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/E d+ s:+ a C++(+++)$ ULOSI*++(++++)$ P+++$>++++$ L++ E>++$ W+(+++)

!X- R tv b++ DI++++ D+ G++ e+++ h---- r+++ y++++
------END GEEK CODE BLOCK------

so make sure you update your sshd and any other programs that may need it -
remember the distro disks do not have the latest version

Mike.

Quote:> Hello anyone,

> I'm using the operating System Linux  - RedHat9
> I'm totally a newbie in linux-security and that's why I've got a Problem:
> A month ago, I got hacked by someone 3 times!
> I always had to reinstall my distribution for security reasons.
> Poeple in groups.google suggested to do so after a successful hack.
> I changed the _standard known_ portnumbers and I denied the access for all
> incoming internet connections to the ports 0-1024 and mysql per protocol
tcp
> and udp in my ipchains.
> Is that enough or - what should else should I do to prevent him/her from
> hacking into my computer again (and it would be nice if i could trace him
> back  and do something about it)
> Any suggestions?