RE: tripwire failed???

It is probably a good idea to move on to Osiris, http://osiris.shmoo.com

It uses a client server architecture for the deployment of scanning agents
and the storage of the hashes. Another useful feature it has is the ability
to detect newly loaded kernel modules which I believe would had been a
little more helpful in your case.

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of Stefano Zanero
Sent: Wednesday, 18 July, 2007 12:19 AM
To: anthony@xxxxxxxxxxxx
Cc: focus-ids@xxxxxxxxxxxxxxxxx
Subject: Re: tripwire failed???

I have discovered that my server has been compromised.

Welcome to the happy club comprising... everybody who's ever managed a
server :D

I believe it's
some sort of rootkit.

You should also hunt for the way IN, otherwise you will never shut out
the attacker. The rootkit is a way to REMAIN in, not a way to get entry.

It has managed to circumvent both rkhunter and
tripwire.

Cool. How are you running tripwire, exactly ? Is the list of hashes on
the same box that was compromised ? If so, I believe I can see why your
tripwire didn't work :D

Also, if the rootkit is loaded in kernel space, tripwire will be silent.

anyone know how I might detect/remove such rootkit? I hate to have to
reload OS/tripwire/rkhunter/reload permissions... start over.

Sorry, you have to. There's no other safe way to get that box clean.

Stefano

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in
tro_sfw
to learn more.
------------------------------------------------------------------------



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------

Relevant Pages

  • Re: tripwire failed???
    ... You should also hunt for the way IN, otherwise you will never shut out ... The rootkit is a way to REMAIN in, not a way to get entry. ... How are you running tripwire, ... with real-world attacks from CORE IMPACT. ...
    (Focus-IDS)
  • Re: [Full-disclosure] Microsoft GhostBuster Opinions
    ... >failing system that reboots or blue screens every few weeks rather then ... >Of course, I'm not sure you understand what tripwire is or does, further ... you have a rootkit. ...
    (Full-Disclosure)
  • Re: noob question about the CVE-2010-3081 exploit
    ... it has been told to monitor changes. ... One is where the rootkit runs only in memory. ... hide from tripwire if tripwire does not scan the directory where it resides. ... database to pick up added/changed files, restore snapshot of logs to ...
    (comp.os.linux.security)
  • RE: [Full-disclosure] Microsoft GhostBuster Opinions
    ... > runs a file integrity check on certain files and reports the ... > by a rootkit that's been designed to evade file integrity ... > checkers such as tripwire. ... new Microsoft products uses, but as people have stated, this can be done ...
    (Full-Disclosure)
  • Re: noob question about the CVE-2010-3081 exploit
    ... TripWire can tell you when any file/directory ... it has been told to monitor changes. ... One is where the rootkit runs only in memory. ... database to pick up added/changed files, restore snapshot of logs to ...
    (comp.os.linux.security)