victim of stealthy rootkit

To: debian-isp@lists.debian.org
Subject: victim of stealthy rootkit
From: Erik Abella <epabella@excite.com>
Date: Mon, 9 Apr 2001 12:16:18 -0700 (PDT)
Message-id: <8128292.986843780273.JavaMail.imail@doodle.excite.com>

Hello All,

A persistent joker attacked me with lion, ramen, and I trojan I still
haven't found. I fired-up the free ID-scripts from SANS; did a whole lot of
combing the filesystems; done away with cgi-bin; retained only root and my
account as /bin/bash; and uninstalling everything except gnome+enlightenment
and basic services - Just when I think that I've cleaned this menace out my
system, he's back to wreak more havok.

Is it possible that he rolled-up a "trojan kernel" with daemons that nmap,
lsof and grep cannot detect to be listening? Now, postfix gets 'Name service
errors' for any domain except mine; has my eth0 automatically going
promiscuous for sniffing; and even managed to lock /etc/passwd.

We're reinstalling the system but it's important for me to know how exactly
this guys does what he does. Comments, anyone?


Thanks,

Erik





_______________________________________________________
Send a cool gift with your E-Card
http://www.bluemountain.com/giftcenter/

Reply to:

Follow-Ups:
- Re: victim of stealthy rootkit
  - From: tps@unslept.com
- Re: victim of stealthy rootkit
  - From: Nate Duehr <nate@natetech.com>

Prev by Date: Re: web mail without local mail
Next by Date: extrange /etc/passwd behavior
Previous by thread: Re: web mail without local mail
Next by thread: Re: victim of stealthy rootkit
Index(es):
- Date
- Thread