[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: chkrootkit infected ports 2881 - conundrum

Sam Kuper wrote:
> 2) Assuming your server is hosted with VPSVille, Slicehost or some
> other hosting company that doesn't give you physical access but does
> have a facility for reinstalling your OS on demand, you could, in the
> following order:
>
> - Back up your data from it locally;
> - Prepare a script that will run iptables to disable all connections
> except SSH access and apt-get connections;
> - Reinstall the OS;
> - Immediately log in, upload the script and run it;
> - apt-get install rkhunter;
> - Generate the hashes (if you're on Etch, this won't work, as the
> rkhunter in Etch doesn't include the -propupd option, but on Lenny it
> should be possible. For ways to generate rkhunter hashes on Etch, see
> my recent mailing list thread, "rkhunter on Etch");
> - download copies to your local machine.
>
> Congratulations. Unless someone rooted you in the few minutes it took
> to do this (this is very unlikely unless your hosting provider
> installs the OS in some crazy-ass wide-open-to-exploitation fashion -
> see point 1 above), you now have a set of hashes you can trust, and
> which you can write to RO media from your local machine.
>
> NB. I haven't tried this myself, but I'm putting together a plan for
> securing my own VPS, and this is the general principle (I should add,
> I won't be relying solely on rkhunter!). So, if anyone reads the above
> and spots that I've missed something crucial, please let me know :)
>   

It looks like a fine plan, the probability that someone attacked the
system in the small interval it was open is as small as it can get.

However, how will  you do verification? If the worst happen and someone
gets access to the system, it is possible to hide their traces, and in
some way return the valid hashes instead of the actual ones for the
infected files. That is, however, not necessarily feasible, and
combining this with other checks, the probability of an attack going
undetected is small, though it could happen.

What I could recommend is to run only the necessary services, and if
possible restrict the IPs allowed to connect to them, keep the system
updated with security fixes, make frequent backups, and other obvious
things that we all already know of. :-)

-- 
White dwarf seeks red giant for binary relationship.

Eduardo M KALINOWSKI
eduardo@kalinowski.com.br
http://move.to/hpkb
Reply to: