Recovering from a man-in-the-middle attack?
How can I tell if I have actually been attacked? And if that is the case, how do I recover from it?
6 Replies
James
@inkleined:
How can I tell if I have actually been attacked? And if that is the case, how do I recover from it?
Your root password has been changed, what more do you want? Simple, re-install, use backups of data to re-instate your losses.
This time, use some basic security when setting stuff up. Limit ranges to your ISP network subnet, use pubkey auth ONLY!, limit to your user to login and give it no priviledges so that you have to use sudo, use sudo su - to get a root prompt, and use TMOUT in your .bashrc to ensure that your user is auto-logout'd out if linode account gets compromised. Hell, look into setting root's shell as /bin/false, if you have to setup a recovery, edit your /etc/passwd file after booting into finnix. Compromising a system isn't hard, the point is to delay the person as much as possible.
A temporary idea would be to temporarily purchase a doubled linode for the larger hard drive and then mount it in the new linode and pull data only! don't trust your binaries into the new one, buy another linode that matches your current one, re-setup and put the old data back in your linode, and then drop the other two linodes.
@danellis:
sudo su -? What's wrong with sudo -i?
either one works, just less typing involved.
Maybe your node fell afoul of this http://www.linode.com/forums/viewtopic.php?t=3679