[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[no subject]
- <!--x-content-type: text/plain -->
- <!--x-date: Tue Jan 11 12:44:32 2005 -->
- <!--x-from-r13: nggevry ng q20obneqf.arg (nggevry) -->
- <!--x-message-id: [email protected] -->
- <!--x-reference: [email protected] --> "http://www.w3.org/TR/html4/loose.dtd">
- <!--x-subject: [ale] Compromised System -->
- <li><em>date</em>: Tue Jan 11 12:44:32 2005</li>
- <li><em>from</em>: attriel at d20boards.net (attriel)</li>
- <li><em>in-reply-to</em>: <<a href="msg00364.html">[email protected]</a>></li>
- <li><em>references</em>: <<a href="msg00364.html">[email protected]</a>></li>
- <li><em>subject</em>: [ale] Compromised System</li>
(1) You REALLY want to do the scorched earth route. It's the only way to
be sure
(2) If you can get static compiles of ls, ps and chkrootkit (or however
that tool is spelled), built on a SEPERATE machine, you can try to look.
BUT! That won't garauntee, it'll just help you find things.
Common rootkits, last I looked, put in hacked versions of ls (to not show
their secret dirs), ps (to not show their secret listeners), netstat (to
not show their open ports), iptables (to not tell you it's open), etc.
more, less are modified to show archived versions of files rather than the
new (hacked) versions, etc, etc, etc.
Some of the newer ones/active attackers put in silent kernel modules
(which won't show up on the hacked ls, and won't show up on the hacked
lsmod, depmod, or rmmod). No way to be sure about the kernel mod, really.
My vital servers have started running without loadable modules, now, to
tighten that up.
Your user should not be allowed back on the server. You WANT to rebuild
it, or you ARE still compromised.
Run crack (or whatever the latest password checkers are), see if anyone
else has bad passwords. Run them regularly, to see if someone MAKES one.
If you got hit by a scriptkiddie, you might be able to recover and be OK
until you can do a rebuild next week. If you got hit by a real attack,
and they're competent, you're unlikely to find all the bits.
--attriel
</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00364" href="msg00364.html">[ale] Compromised System</a></strong>
<ul><li><em>From:</em> wormfishin at gmail.com (Nick Travis)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00369.html">[ale] Dual Adaptec 2200S Card on Redhat ES 3.0 x86_64</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00371.html">[ale] Understanding dd and/or /dev/zero</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00364.html">[ale] Compromised System</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00372.html">[ale] Compromised System</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00370"><strong>Date</strong></a></li>
<li><a href="threads.html#00370"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>