[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: chkrootkit has me worried!



thanks for the replies.

what with it being several different symptoms i tend to think this is not a
false positive.

cause:

this is an old server which has been running for 4 years.

i have tried out lots of different things on this server and have made the
mistake of leaving unnecessary services running.

in this case i think that webmin was running the miniserv.pl server and this
had a security warning issued for the version i had.

it doesn't seem to have been fixed in the debian security fixes - i'll
contact debian RE this.

or it might have been a weakness in zope.

luckily i was halfway through moving everything off this server to a new
pair of servers and have been able to move the changeover forwards.

also - very luckily - no data on the server has been damaged.  it seems to
spawn lots of hidden processes and has had to be rebooted to get it under
control again.

main points learnt.

make sure you have snapshot backups going back months.

regularly run chkrootkit and get the server to email the results to you.

if backing up to another server get that server to pull backups out.  on my
new machines i was pushing out the backups from the primary server - this
would mean a cracker would then have an easy way in to the backup machine
because i was using authorized_keys so the backup would run in a script.

but mainly only run required services - and check them closely - and don't
rely on your distro to incorporate every single security patch required for
your server.

kev



Reply to: