hacked by rk.tar.gz

Posted on 2001-07-30
Medium Priority
Last Modified: 2008-02-20
my linux redhat 6.2 server was hacked by rk.tar.gz.
someone can login to my server by a port without password protection.
and he can listen to port 110 to gain my clients' passwords.

Ang suggestions that I can do to protect the server now?
Question by:klnhk
LVL 40

Expert Comment

ID: 6334370
Your server wasn't "hacked by rk.tar.gz", that was the tar archive of the root kit that the cracker installed after they penetrated the system. I suspect that your 6.2 box didn't have all of the security updates (http://www.redhat.com/support/errata/rh62-errata-security.html) installed and one of them was exploited to gain access (probably the kernel or wu-ftp vulnerability).

The only really safe thing to do at this point is save data from the system that you need to keep and do a complete re-install. It seems fairly obvious that at least one root kit has been installed (which gives the cracker multiple ways to get into the system) and there is no easy way to determine what parts of the have been modified.  After reinstalling the OS, you need to get and apply all of the security updates before placing the server back on line. With the updates applied you can reload your saved data, but you'll need to carefully check any executables or scripts to make sure they haven't been modified by the cracker.

Expert Comment

ID: 6337205
try using bastille linux, it's a set of scripts that make a linux box more secure by closing all the unneeded ports, shutting down unneeded services etc. It will also download security patches and set up a firewall.


Accepted Solution

Lazypete earned 400 total points
ID: 6369312
I also suggest after re-install that you use
Tripwire to know rapidly if it happens agains.

Tripwire is a intrusion detection software
that take a fingerprint of all system files on
your computer and notice you if one file has
been modified ( by a root kit exemple ).

Another secure distro is
EnGarde Linux
look at packetstorm.securify.com to know more about it.

I still have not tested EnGarde yet.. but I'll do it this week end.

Expert Comment

ID: 6734092
Your history reflects that you have asked a total of 38 questions at this site and only finalized 10 of them.  I think you'll agree this is not fair to the experts who have stepped in to help you, and it is against our Guidelines and Member Agreement, listed on the left under Help Desk.

I will update all your open items with a request to finalize them so that you are advised by Email of their open status and can quickly navigate through them and complete them.

If you need help to split points, process a refund and move to PAQ at zero, or otherwise special handle this question, please let us know.  I will monitor them all, and as usual, appreciate any expert input here.

Please also refer to these links:


Community Support Moderator @ Experts Exchange

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension . This reminded me of questions that come up here at EE along the lines of, "How can I tell the type of file from its cont…
Can you run Linux on a Windows system?  Yep.  Here's how.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question