[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: chkrootkit infected ports 2881 - conundrum

On Tue, 2008-08-26 at 23:10 +0100, Adam Hardy wrote:

> All the hacker needs to do, before rooting the system, is to run my cronjobs and 
> save the output, and then change the cronjobs to email me these 'all clear' 
> reports instead. The reports don't even have dates or times that require 
> updating. I have been known to let my server run for weeks without logging on.

One way to get around this problem is to have mails to root sent to an
email account you have off-site.  Since rkhunter's output isn't sitting
in a local mail spool, an intruder trying to hide his footsteps would
have to compromise a second system to get at your email to stop you from
receiving it's output.

Paul Johnson

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: