Security, /etc folder and passwd/shadow file permissions 2

[bkonner]

Howdy,

I have had a major hacking problem. While I am cleaning up this mess, what is the correct security for the /etc folder and for the passwd file. Do I have to give the world read permissions?

Thanks

bkonner

 

[katamann]

Hi

I'm afraid the /etc/passwd file must be world readable, if users should be able to log in. Use permissions 644.
On my system I have 755 rights on the /etc directory.

Correct me if I'm wrong.

-Katamann

 

[pcunix]

If you've been hacked, the only safe cleanup is a total reinstall.
Tony Lawrence
SCO Unix/Linux Resources

http://pcunix.com

tony@pcunix.com

 

[katamann]

pcunix is righ(and get's a star for that). The hacker could have left a backdoor somewhere, and my bad not pointing that out!

-Katamann

 

[csimion]

I am subscribing too to the above idea. Complete reinstall is the best solution.

Good luck! Cristian

 

[Required]

Re-installing everything is a must, IMHO Tony deserves a second star for this absolute truth.
Use the original CDs rather than a full backup from last week because the hackers might have been present for a long time.
If possible, try to find how they entered because if you don't tap that hole, the history might repeat.
If you want to investigate, mount your filesystem in read-only mode (so you won't modify or overwrite any evidence) and eventually make a copy. After re-installing, you will be able to compare the original files with the copy and detect eventual modifications in the OS binaries and in other critical files.
If you don't have one, a system like TripWire would be very useful in the future.

 

[garwain]

Also, when re-installing I would advise getting the latest STABLE version of your linux flavor. There will proabably be more security fixes. Also update any programs that you run. FTP, SENDMAIL and BIND are prime targets and should be kept up to date!