[ale] I can't seem to plug up all the security holes in my box...

Jay Finch horus at larp.com
Tue Jun 20 20:39:04 EDT 2000


Hi y'all,
        I
always try to fix something myself, but I'm totally stumped at this
juncture.

Here's the scenario:
I noticed somebody logging into my server from a domain I didn't
recognize.  When I queried the user, I found out that it wasn't my
user, but that someone had cracked their account.

I promptly kicked them off the system, but not before they had
grabbed copies of my /var/log/messages, /var/log/syslog, /etc/passwd, and
/etc/shadow

Now I'm plagued with them continuing to log back in (from different
spoofed domains every time) under new accounts they keep cracking the
PW's on.

I thought they were using the Sendmail 8.9.x + Linux 2.2.14 Root
exploit, but I upgraded to the 2.2.16 and Sendmail 8.10.2, to no
avail.  I also closed down my telnet ports and only allow folks to
use SSH now, but that didn't help.

Earlier today they logged in, gained root access somehow, and
deleted ALL of my system logs and all of my BACKUPS.

I freely admit that I'm not the wisest or smartest Admin around, but
I need to keep these weasels out.  I have about 150 users, with
around 75 Websites that I host on my machine...

Any advice or assistance would be appreciated.

Thanks!
Jay


-----
Jay
Finch                      
: "Come with me.. and you'll be..
(770) 650-0410 
(voice)         :  In a
world of pure imagination.
pagejay at larp.com (pager)       
:  Take a look and you'll see
horus at larp.com                 
:  Into your imagination ..."
MTBI Survey says: 
ENFJ        
:               --
Willy Wonka
      Check out my home page at: 
http://www.photobooks.com/~horus/





More information about the Ale mailing list