Re: Am I Compromised -- Some interesting findings
On (25/11/05 13:30), Derek The Monkey Wueppelmann wrote:
> On Fri, 2005-25-11 at 23:21 +0530, Ritesh Raj Sarraf wrote:
> > That is what got confused my at first. Since there's no /usr/sbin/httpd
> > binary in a Debian based apache installation I was wondering how this was
> > being shown. And interestingly there was no /usr/sbin/httpd file present
> > also.
>
> If the system has been rooted, then you can't count on anything that is
> reported by ps. Probably one of those scripts in /tmp is being run and
> then it masquerades as being /usr/sbin/httpd, which on redhat systems
> and other *nix distributions would be considered inoquious.
>
> > That's the biggest challenge right now. I don't have physical access to the
> > system and I don't think my client will be able to bear my travelling
> > expenses.
>
> That does pose a problem. I don't know an easy way to validate the
> system and clean it while attacks are still happening, or even worse
> someone has a shell account onto the system.
>
> > chkrootkit came of no help. It reported that the system was absolutely fine.
> > I haven't tried tiger yet.
>
> Hmm, I'm pretty new to that tool and the tiger tool as well. So I'm not
> sure what else to suggest at this point. Hopefully others on this list
> and the debian-isp list will also be able to help out.
I read here recently about shutting out all ssh access other than your
own but you need to be careful not to lock yourself out. You then need
to close all the ports other than ssh. Not something I've ever done. It
would also make sense to close down all external services other than
ssh.
You should then be in a position to investigate what has occurred.
Regards
Clive
--
www.clivemenzies.co.uk ...
...strategies for business
Reply to: