[wellylug] Think I've had a server hacked
Jim Cheetham
jim at gonzul.net
Wed Oct 26 15:35:37 NZDT 2005
On Wed, 26 Oct 2005 10:25:17 +1300, Mark Signal <mark at databackup.co.nz>
wrote:
> I am copying all the data off (including /var/logs/) and will
> reinstall/update and shift ssh port
Don't trust your data too much (look for hidden files and stuff like that).
Complete reinstall/reformat is indicated - you can't trust your filesystem
enough to do an upgrade. Whatever OS you install, follow security updates
every day.
If *any* other machine has the same passwords as *any* account on the
compromised machine, change them, and don't re-use the compromised
machine's passwords again.
Don't bother obscuring the ssh port, but do ban password logins, and
restrict the valid users to yourself and definately ban root logins.
-jim
More information about the wellylug
mailing list