Re: Help... SSH CRC-32 compensation attack detector vulnerability
On Mon, Dec 03, 2001 at 09:33:07AM +1100, Jason Lim wrote:
> Hi,
>
> sigh... yes... some of our servers have been hit with the "SSH CRC-32
> compensation attack detector vulnerability" attack.
>
> some servers have been compromised, and the usual rootkit stuff (install
> root shells in /etc/inetd.conf, bogus syslogd, haxored ps, etc.).
>
> What is an easy way to locate binaries that are different from the ones
> provided in the original debs?
You *are* running either tripwire, or aide, right? :(
> And is there any other relatively easier way of cleaning up a system that
> has had a rootkit installed?
debsums will help you with identifying if a binary changed, but if
something was added, you will never know unless you stumble off of it.
> We've done a netstat -a and removed/killed all strange processes, and
> cleaned inetd.conf as much as we can, but some of the programs in
> inetd.conf have themselves also been tampered with (eg. in.telnetd).
>
> Please help... I have a bad feeling the crackers are coming back real soon
> to really finish off the job... so any help at this time in removing all
> their crap would be greatly appreciated.
I'm really going to have to write up something on securing a machine. There
is no such thing as an uncrackable machine, but your job of cleaning it
up can be a little easier if you prepare ahead of time for it.
Tim
--
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
>> Tim Sailer (at home) >< Coastal Internet, Inc. <<
>> Network and Systems Operations >< PO Box 671 <<
>> http://www.buoy.com >< Ridge, NY 11961 <<
>> tps@unslept.com/tps@buoy.com >< (631) 924-3728 <<
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Reply to: