[nSLUG] my system was cracked!

ricardd at mathstat.dal.ca ricardd at mathstat.dal.ca
Sat Jun 3 09:17:04 ADT 2006


Hello,
Someone remotely cracked into my system on Thursday afternoon when I was
at the CEOS conference and my laptop was running in my office at
Dalhousie. Another machine running Ubuntu was cracked into last week as
well.

This is a first for me and it now makes me feel vulnerable. A few pros
looked at my machine at the InstallFest yesterday and had various
explanations for what happened.

I discovered that something was wrong when I tried to login as user
postgres and the password wasn't accepted. I then reset the password for
postgres and logged in as user postgres. The history of command included
things that I didn't type and were malicious (dowload an admin kit, etc).
After that, I could not log in as root anymore, the "sudo" command must've
be corrupted. We rebooted from a CD and noticed that the entries for sudo
in /etc/passwd and /etc/shadows were indeed corrupted. The root password
was reset by editing the files in a text editor and rebooting. The dudes
also suggested a re-install of my whole system.

So, short of hiring a sysadmin, what should I do to protect myself against
this? I'd like to get a "checklist" of things that I should watch for
after I reinstall. For example:

- run a firewall
- change the ssh listening port to something other than 22
- use strong passwords for everything (the postgres password was weak)
- ...

Suggestions, comments? And, yes, I will get a "Security for Linux" book
and read it.
Cheers,

Dan (running my own InstallFest this weekend)



!DSPAM:448183b5143715516562824!




More information about the nSLUG mailing list