hacked by rk.tar.gz

my linux redhat 6.2 server was hacked by rk.tar.gz.
someone can login to my server by a port without password protection.
and he can listen to port 110 to gain my clients' passwords.

Ang suggestions that I can do to protect the server now?
klnhkAsked:
Who is Participating?
 
LazypeteConnect With a Mentor Commented:
I also suggest after re-install that you use
Tripwire to know rapidly if it happens agains.

Tripwire is a intrusion detection software
that take a fingerprint of all system files on
your computer and notice you if one file has
been modified ( by a root kit exemple ).

Another secure distro is
EnGarde Linux
look at packetstorm.securify.com to know more about it.

I still have not tested EnGarde yet.. but I'll do it this week end.
0
 
jlevieCommented:
Your server wasn't "hacked by rk.tar.gz", that was the tar archive of the root kit that the cracker installed after they penetrated the system. I suspect that your 6.2 box didn't have all of the security updates (http://www.redhat.com/support/errata/rh62-errata-security.html) installed and one of them was exploited to gain access (probably the kernel or wu-ftp vulnerability).

The only really safe thing to do at this point is save data from the system that you need to keep and do a complete re-install. It seems fairly obvious that at least one root kit has been installed (which gives the cracker multiple ways to get into the system) and there is no easy way to determine what parts of the have been modified.  After reinstalling the OS, you need to get and apply all of the security updates before placing the server back on line. With the updates applied you can reload your saved data, but you'll need to carefully check any executables or scripts to make sure they haven't been modified by the cracker.
0
 
Bruce_RCommented:
try using bastille linux, it's a set of scripts that make a linux box more secure by closing all the unneeded ports, shutting down unneeded services etc. It will also download security patches and set up a firewall.

http://www.bastille-linux.org/
0
 
MoondancerCommented:
Your history reflects that you have asked a total of 38 questions at this site and only finalized 10 of them.  I think you'll agree this is not fair to the experts who have stepped in to help you, and it is against our Guidelines and Member Agreement, listed on the left under Help Desk.

I will update all your open items with a request to finalize them so that you are advised by Email of their open status and can quickly navigate through them and complete them.

If you need help to split points, process a refund and move to PAQ at zero, or otherwise special handle this question, please let us know.  I will monitor them all, and as usual, appreciate any expert input here.

Please also refer to these links:
http://www.experts-exchange.com/jsp/cmtyHelpDesk.jsp
http://www.experts-exchange.com/jsp/cmtyQuestAnswer.jsp
http://www.experts-exchange.com/jsp/infoMemberAgreement.jsp

Thanks,

Moondancer
Community Support Moderator @ Experts Exchange
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.