[Gllug] My firewall is rooted
Jason Clifford
jason at ukpost.com
Mon Jul 15 11:43:47 UTC 2002
On Mon, 15 Jul 2002, Stephen Harker wrote:
> OK. So I ssh into the firewall (first time in a week or so) to discover loads
> of running processes ./a and a new user in my password file called dave. So
> out he goes and shutdown all the processes. Passwd file was locked so I
> removed /etc/ptmp and removed the dave entry. (BTW this is an OpenBSD box)
> Rebooted the machine. First mistake.
> Now my root password doesn't work any more. SO. Do I want to even bother
> fixing this machine up or shall I just rescue my pf and nat rules, wipe the
> box and start again? Will there be a load of backdoors and other nasties on
> there now?
I'd advise disconnecting the box from the 'net, booting from a trusted
source (a boot floppy or CD) and copying off any vital files - such as
your firewall rules, etc, although these should be considered less than
safe given what has happened and not used again without careful inspection
first.
Then complete scrap the box and rebuild from scratch.
The only reason not to do this would be if you intend to spend lots of
time analysing the attack to try and determine the source and the way they
got it.
Jason Clifford
--
UKPOST.COM get your @ukpost.com address now...
http://www.ukpost.com/
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list