LinuxSA Mailing list archives

  From: Alain Satre <alain@messagebay.com>
  To  : <linuxsa@linuxsa.org.au>
  Date: Mon, 05 Feb 2001 10:30:04 -0800

Intrusion question

Recently a few servers which had just been built were broken into with
the rpc vunerablity in RH6.2, now made very common by the ramen worm.
We have since patched the machines, and  assumed they were in good
heath.  Occasionally we still seem to see odd occourences of connections
to this machine, and I am frankly unable to trust the machine since the
breakin.  Today I was notified by an admin at another company that there
were portscans from one of thoes machines, to his servers last night.  I
can only assume that someone is still able to use our servers for
malicious useage.  I however find no trace of the common ramen worm
files, like .poop, so I think this maybe done manually.

Since we had not had the chance to install countermeasures like
tripwire, I dont know if files have been changed.  Does anyone know of a
way to check each rpm install to see if all files are valid?  Or a way
to compare filesizes across the board to see if files have been
changed?  Has anyone ever recommended a good UNIX/Linux virus scanner?
Are they even worth investing in?

On another note, does anyone recommend a good autopatch program?  like
up2date, autorpm etc?

-- 
LinuxSA WWW: http://www.linuxsa.org.au/  IRC: #linuxsa on irc.linux.org.au
To unsubscribe from the LinuxSA list:
  mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject