Author: Bug Hunter
Email Address of Author: bughuntr@ctelcom.net
Date: Thu, 25 Dec 1997 
One-line summary of topic\question:
  I was hacked.  What should I do to protect my system from hackers?
Version of RedHat Linux answer is applicable to: Any

Answer:

  This is an incomplete list of security steps you can take to protect
your RedHat system on the network.  It does not go into the _why_, just
the _what_.  Double check everything, and keep looking for new and
better ways of doing things.


  I, too have been compromised in the past.

Do these things (off the top of my head and in no particular order)...

  Upgrade to RH 4.2, at least.  If you are at RH 4.2 or later, then
reinstall, or very carefully do a diff between several key files on disk
and on your RedHat CD Rom:  ls, login, syslogd, ftpd, telnetd, rsh,
sendmail, and your tcp wrapper program (probably inetd).

  In /etc/hosts.deny, put a single line:
ALL:ALL

  In /etc/hosts.allow, enter the names of the host machines that can use
services on your machine, and the related services. (do a "man
hosts.allow" for more info).

 run pwconv5 to convert to shadow passwords.  Change as many passwords
as possible.  They have been cracked.  Run crack (available from
cert.org --search the web) to find the easy passwords and force changes
on those, at least.

 in /etc/sendmail.cf, look for Mprog.  You should see /bin/sh.  change
it to /sbin/smrsh.  (I think that is the path.  do a locate )  Do this
after upgrading your sendmail (see below).

 double check the files in /home/ftp/bin.  Those were probably
compromised also, and may contain one or two extra executables that RH
4.2 did not replace, along with some lib files that are also
compromised.

  There is probably a cgi-bin in /home/httpd/cgi-bin called phf (or
pfh). delete it.  It is most likely how they got in.

  ls was probably also compromised, but replaced by RH 4.2 if upgrading.

  in /etc/inetd.conf comment out shell, login, finger, netstat, systat,
and anything else you don't provide to outsiders.

  look on the web for ssh, and install it for remote logins.  Since you
have been compromised, put it on a different port than the one reserved
for it.

  find www.sendmail.org, and check out the anti-spam rules.  On
ftp.redhat.com, sendmail 8.8.8 is there. Install it and look in
/etc/mail and edit those files.  Mail relayers and spammers aren't far
behind.  This will save you tremendous bandwith by denying relaying.

  look for a new directory in /root that begins with a period, such as
.cool In that directory you will find a network probe program.

  syslogd was probably compromised, but replaced by rh 4.2 upgrade you
did.

  keep your cdrom mounted, and run a daily compare script that compares
the files that were compromised to the files in the cdrom's live
directory.  (ie /cdrom/live/bin/ls, or /cdrom/live/usr/bin/xxx)

  get tripwire from cert and use it if you can.

  look for the website at geek-girls (see an earlier post in the
redhat archive regarding sshd), and read up on security issues.

  get the latest kernel upgrade from ftp.redhat.com and install it. 
This will protect your system from the teardrop attack and the pentium
f00f bug.

  edit your /etc/ftp.access file and deny ftp access to ip addresses
that don't resolve to machine names.

  look for X window executables that have the suid bit set, and unset
it. set it only on the programs that refuse to run for you after that.

  look on www.redhat.com, go to documentation, and examine the erratta
for RedHat for any security issues I missed or misquoted.  (I make
plenty of mistakes)

<EOF>
