Re: Help... SSH CRC-32 compensation attack detector vulnerability
I know this is not a complete solution, but for starters you could try 'chkrootkit':
Stable doesn't have a package but I'm sure you could build the unstable .deb from source.
>>> "Jason Lim" <firstname.lastname@example.org> 12/03/01 08:33AM >>>
sigh... yes... some of our servers have been hit with the "SSH CRC-32
compensation attack detector vulnerability" attack.
some servers have been compromised, and the usual rootkit stuff (install
root shells in /etc/inetd.conf, bogus syslogd, haxored ps, etc.).
What is an easy way to locate binaries that are different from the ones
provided in the original debs?
And is there any other relatively easier way of cleaning up a system that
has had a rootkit installed?
We've done a netstat -a and removed/killed all strange processes, and
cleaned inetd.conf as much as we can, but some of the programs in
inetd.conf have themselves also been tampered with (eg. in.telnetd).
Please help... I have a bad feeling the crackers are coming back real soon
to really finish off the job... so any help at this time in removing all
their crap would be greatly appreciated.
To UNSUBSCRIBE, email to email@example.com
with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org