The process that was continuously running was called "h". Many unix programs are very short in name, but none of them are 1 letter. That stuck out like a sore thumb. The tip off that the guy wasn't very good at this is that he had a tool that would hide the process on my machine, but he didn't use it. Oops.
I'm running Redhat Linux 6.1 with numerous and various updates.
I normally have the following running:
Apache httpd version 1.3.14
wuFTPd version 2.6.0 with relatively tight security
Telnet is available
Sendmail 8.9.3
Oracle 8.1.6
finger
talk
popd
imapd
named
I'm not sure how the hacker got in... yet. There was an attempt through FTP (how many people do you know that can remember an 800+ character password), but I don't think it was successful.
As far as what I will do. I will go get the latest version of Satan and test my machine and upgrade where needed. I know that it is impossible to stop them all, so I rely on a few rules.
1) Don't put anything really valuable on a machine touching the internet. If you have to put valuable data on a computer, then you should use a dedicated machine (remove all of the services like email, ftp, finger, etc.) As you can see from the above list of services, I really don't have anything valuable on the machine
2) It's impossible the stop the best hacker, but tightening down a few screws can take the vicious rookies out of the picture. Or in other words, try to tighten up what you can. It's been a while since I've done a security check. Had I done one recently, I'm sure I would have stopped this hacker.
3) Focus on tracking the occurance of hacking rather than the prevention of hacking. Not a good solution if you don't know much about administration of your computer, but if you can clean up the mess, there's nothing like the thrill of sending the hacker a little message while they are setting things up. "What are you doing boy!!"
Unfortunately, I didn't get the thrill of rule 3 on this one. But if you can catch someone in the act, you can usually gather a bit of intel on the hacker before you unplug the machine. No power... No hacking.
Jim |
