tripwire failed???
- From: anthony@xxxxxxxxxxxx
- Date: Sun, 15 Jul 2007 15:11:11 -0400 (EDT)
I have discovered that my server has been compromised. I believe it's
some sort of rootkit. It has managed to circumvent both rkhunter and
tripwire. The only reason I detected it is because I happened to run a
'ps' command when server was slow and noticed a connection from an
unwarranted user. I then 'netstat'ed. Apparently, the attacker(s) is
utilizing a program that obfuscates their presence in the usual logging
areas as well. I just "happened" to catch them. 'ps -aux' showed that an
UNKNOWN user was utilizing sshd. I was able to parse output to a file for
further viewing. I would post 'log-files' but they show now indication of
compromise (s fr s I can tell)
I know that there are a plethora of rootkits in cirulation, but does
anyone know how I might detect/remove such rootkit? I hate to have to
reload OS/tripwire/rkhunter/reload permissions... start over.
Any other tools I should be utilizing?
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
- Follow-Ups:
- Re: tripwire failed???
- From: Stefano Zanero
- Re: tripwire failed???
- Prev by Date: Re: Detecting covert data channels?
- Next by Date: HTTP traffic
- Previous by thread: TippingPoint detection bypass
- Next by thread: Re: tripwire failed???
- Index(es):
Relevant Pages
|
