I'm being hacked!

Kurt Granroth kurt@granroth.org
Thu, 8 Mar 2001 10:05:07 -0700 

Rick Rosinski wrote:
[snip]
> The point to all of this is:  I want to find out how to stop this from 
> happening.  I have a few ideas of my own, and I have lots of questions.
> 
> Besides setting up a firewall, what other security measures should I consider 
> implementing?
> 
> What will it take to keep this guy out of my system?  What is he capable of 
> doing besides knowing my command history in my term windows.  Would it be 
> effective if I set up a user for myself (I am always root) to keep him out?  
> I am not on a LAN, just ppp to inficad, and I don't know if being root is 
> dangerous or not.
 
You should consider your system completely compromised!  At this
point, the cracker could very easily have total access to every part
of your system.  In your case, you MUST do a clean reinstall.  Backup
your important data then nuke your harddrive and start from scratch.
This is *necessary* since your cracker could have put in any number of
back-doors or trojans that will circumvent anything you do!

That done, you'll need to beef up the security on your box.  This is
one area where most Linux distributions really fall short... the
default install on all general distros are *way* too permiscuous.

Unfortunately, the topic of security isn't an easy one.  If you RTFM,
you'll see that the FMs are very long and very complex.  They assume
usually that you are a dedicated sysadmin.  Very few HOWTOs deal with
a "normal" home user.

That said, I recommend that you check out www.linuxsecurity.org.  They
have a number of HOWTOs there that can help.

In the meantime, though, I recommend doing at least the following:

1) REINSTALL YOUR SYSTEM FROM SCRATCH (I can't emphasize that enough).
   If you don't reinstall from scratch, then nothing you do can be
   considered effective!
2) Setup a packet filter (firewall) that denys *all* incoming packets.
   You may need to selectively allow a few later for things like
   ftp-data and the like.. but by default, always deny.
3) Shutdown all non-essential services.  Since you are on a dial-up,
   you likely don't need http, bind, or similar network services
   running
4) Pick a very good password for Root and preferably change it every
   now and then.
5) Rarely login as Root.  Create any number of normal users and do
   99.9% of your work as them
6) Always keep up to date with your distro's update patches
   (especially security ones).

<bias_alert>May I also recommend using a distribution like SuSE?  SuSE
7.0 and 7.1 have several tools that can help you out.  For instance,
there is a HardenSuSE script that will go through and "harden" your
system by selectively disabling non-essential services, changing
permissions, etc.  There is also a SuSEFirewall script that makes
creation of firewalls and packet filters quite easy.  The 7.1 online
update utility makes updating security patches quite easy</bias_alert>
-- 
Kurt Granroth            | http://www.granroth.org
KDE Developer/Evangelist | SuSE Labs Open Source Developer
granroth@kde.org         | granroth@suse.com
            KDE -- Conquer Your Desktop