On Tue, 4 Jan 2000, JAMES VANETTEN wrote:
> I have had some really weird things happen to my web server over the
> last week. The name server stops for no reason, sometimes apache
> stops. When I login nothing seems to work right. I checked my login
> file and it is a differant size from my mail server login file. I have
> suspected someone has cracked the system.
A couple years ago some kids cracked an account I had on a friend's
system. The first thing I noticed was that my login files were changed.
You'd think someone that didn't want to get caught would be smarter that
than, but apparently not. :-)
Anyhow, I suggest a "ps aux" and some investigation to see if they're
running any nefarious processes behind your back. In my case they had
installed an IRC server, renamed the executable to "mail," and left it
running. It still stuck out like a sore thumb, since nothing named "mail"
is normally running under my userid, but it was a nice try.
> I am going to rebuild the system from scratch. For now can I just copy
> the /bin/login file from my mail server and put it on my web server??
You could, but I recommend also limiting IP access from just one or two
other machines, except port 80. Set all of the shells to /bin/false,
except root and other accounts that absolutely need the shell, and change
the passwords on all of those accounts. When you change the passwords, do
so via ssh or the console. The aforementioned account was originally
compromised with a packet sniffer (and I've been using ssh ever since).
And rebuild the machine ASAP. You never know what tentacles may have been
installed when you weren't looking.
---------------------------------------------------------------------------
Assume just 4 million businesses on the Internet today...
If 1% of them sent you one piece of junk email per year,
you'd still have to wade through over 100 messages per day.
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
