Re: victim of stealthy rootkit

To: Erik Abella <epabella@excite.com>
Cc: debian-isp@lists.debian.org
Subject: Re: victim of stealthy rootkit
From: Nate Duehr <nate@natetech.com>
Date: Wed, 11 Apr 2001 00:15:30 -0600
Message-id: <20010411001530.D21630@natetech.com>
In-reply-to: <8128292.986843780273.JavaMail.imail@doodle.excite.com>; from epabella@excite.com on Mon, Apr 09, 2001 at 12:16:18PM -0700
References: <8128292.986843780273.JavaMail.imail@doodle.excite.com>

On Mon, Apr 09, 2001 at 12:16:18PM -0700, Erik Abella wrote:
> A persistent joker attacked me with lion, ramen, and I trojan I still
> haven't found. I fired-up the free ID-scripts from SANS; did a whole lot of
> combing the filesystems; done away with cgi-bin; retained only root and my
> account as /bin/bash; and uninstalling everything except gnome+enlightenment
> and basic services - Just when I think that I've cleaned this menace out my
> system, he's back to wreak more havok.
> 
> Is it possible that he rolled-up a "trojan kernel" with daemons that nmap,
> lsof and grep cannot detect to be listening? Now, postfix gets 'Name service
> errors' for any domain except mine; has my eth0 automatically going
> promiscuous for sniffing; and even managed to lock /etc/passwd.
> 
> We're reinstalling the system but it's important for me to know how exactly
> this guys does what he does. Comments, anyone?

You may want to consider keeping a copy of sash around.  (Statically
linked shell -- no shared libraries.)  It can be useful for repairs
and/or doing intrusion analysis.

-- 
Nate Duehr <nate@natetech.com>

GPG Key fingerprint = DCAF 2B9D CC9B 96FA 7A6D AAF4 2D61 77C5 7ECE C1D2
Public Key available upon request, or at wwwkeys.pgp.net and others.

Reply to:

References:
- victim of stealthy rootkit
  - From: Erik Abella <epabella@excite.com>

Prev by Date: Re: web mail without local mail
Next by Date: Re: web mail without local mail
Previous by thread: Re: victim of stealthy rootkit
Next by thread: extrange /etc/passwd behavior
Index(es):
- Date
- Thread