Re: tripwire failed???



I have discovered that my server has been compromised.

Welcome to the happy club comprising... everybody who's ever managed a
server :D

I believe it's
some sort of rootkit.

You should also hunt for the way IN, otherwise you will never shut out
the attacker. The rootkit is a way to REMAIN in, not a way to get entry.

It has managed to circumvent both rkhunter and
tripwire.

Cool. How are you running tripwire, exactly ? Is the list of hashes on
the same box that was compromised ? If so, I believe I can see why your
tripwire didn't work :D

Also, if the rootkit is loaded in kernel space, tripwire will be silent.

anyone know how I might detect/remove such rootkit? I hate to have to
reload OS/tripwire/rkhunter/reload permissions... start over.

Sorry, you have to. There's no other safe way to get that box clean.

Stefano

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------



Relevant Pages

  • Re: [Full-disclosure] Microsoft GhostBuster Opinions
    ... >failing system that reboots or blue screens every few weeks rather then ... >Of course, I'm not sure you understand what tripwire is or does, further ... you have a rootkit. ...
    (Full-Disclosure)
  • Re: noob question about the CVE-2010-3081 exploit
    ... it has been told to monitor changes. ... One is where the rootkit runs only in memory. ... hide from tripwire if tripwire does not scan the directory where it resides. ... database to pick up added/changed files, restore snapshot of logs to ...
    (comp.os.linux.security)
  • RE: tripwire failed???
    ... It uses a client server architecture for the deployment of scanning agents ... Subject: tripwire failed??? ... The rootkit is a way to REMAIN in, not a way to get entry. ... with real-world attacks from CORE IMPACT. ...
    (Focus-IDS)
  • RE: [Full-disclosure] Microsoft GhostBuster Opinions
    ... > runs a file integrity check on certain files and reports the ... > by a rootkit that's been designed to evade file integrity ... > checkers such as tripwire. ... new Microsoft products uses, but as people have stated, this can be done ...
    (Full-Disclosure)
  • Re: noob question about the CVE-2010-3081 exploit
    ... TripWire can tell you when any file/directory ... it has been told to monitor changes. ... One is where the rootkit runs only in memory. ... database to pick up added/changed files, restore snapshot of logs to ...
    (comp.os.linux.security)