Re: victim of stealthy rootkit
On Mon, Apr 09, 2001 at 12:16:18PM -0700, Erik Abella wrote:
> Hello All,
>
> A persistent joker attacked me with lion, ramen, and I trojan I still
> haven't found. I fired-up the free ID-scripts from SANS; did a whole lot of
> combing the filesystems; done away with cgi-bin; retained only root and my
> account as /bin/bash; and uninstalling everything except gnome+enlightenment
> and basic services - Just when I think that I've cleaned this menace out my
> system, he's back to wreak more havok.
>
> Is it possible that he rolled-up a "trojan kernel" with daemons that nmap,
> lsof and grep cannot detect to be listening? Now, postfix gets 'Name service
> errors' for any domain except mine; has my eth0 automatically going
> promiscuous for sniffing; and even managed to lock /etc/passwd.
>
> We're reinstalling the system but it's important for me to know how exactly
> this guys does what he does. Comments, anyone?
I would hope you are using something like tripwire or aide, and keeping it
current. Anything that changed on the system would be pointed out. Set these
up *before* opening your system up to the world, and use and IDS like snort
to watch things from a network level. Also, syslog to a secure(r) host so
logs can not be tampered with.
Tim
--
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
>> Tim Sailer (at home) >< Coastal Internet, Inc. <<
>> Network and Systems Operations >< PO Box 671 <<
>> http://www.buoy.com >< Ridge, NY 11961 <<
>> tps@unslept.com/tps@buoy.com >< (631) 924-3728 <<
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Reply to: