The title says it all for my problem and I need some advice. I have a
RedHat 6.1 box that I use for my business and is configured as a
firewall, router, web server and email server. The box was hijacked this
past week and I was informed of it by some other businesses that were
being hacked from my box. I'm not a happy camper right now since I had
to completely rebuild my box (ain't paranoia great?!?!) and I'm still
trying to figure out how they did it.
The person was smart enough to gain access but not smart enough to cover
their tracks. I have the logs in the secure log as well as the syslogs
that show me what they did but I don't know how and that's where I need
some help. The first entry from my syslog shows a change of the password
for account adm through the PAM module. From that point the person
creates some other accounts and groups and all hell breaks loose.
My secure log shows several telnet connection attempts from the same IP
and ultimately a successful login with account adm all within a span of
a couple of minutes. My box had the hosts.deny firewall rule of ALL:ALL
and my hosts.allow file had in.httpd:ALL and in.telnetd opened for some
IPs that I use for remote access for maintenance. In going through the
"crime scene" my hosts.deny file was completely deleted, how and when I
don't know, but it should have prevented the IP address being even given
a prompt if it had existed.
Anyway, first question, is the adm account a default account created on
a RH6.1 install? And if so, does it also come with a default password?
Second, with the firewall rules that I had are there some other back
doors to PAM or other services that let them change the password file?
Any other advice?
Also, before anyone gets on a soapbox, yes, I understand that I need to
add something like tripwire and logwatch, etc. The new install has that