Re: Have I been kitted?

From: Patrick Andry (pandry@wolverinefreight.ca)
Date: 06/12/02


Date: Wed, 12 Jun 2002 08:33:53 -0400
From: Patrick Andry <pandry@wolverinefreight.ca>
To: focus-linux@securityfocus.com

You should probably re-install, but if it's at all possible, keep the
box around and try to figure out a number of things:

How the attacker got in.
What Rootkit was installed.
What did the rootkit do (transfer files, create a backdoor, etc..)
Who the attacker was.

Just putting the box back up from source media won't do any good if the
source media has a security hole in it.

Does anyone know of any processes which are hidden by design from ps,
but are not trojans/malware?

> What is the best strategy for dealing with an LKM kit? Reinstall
> linux from CD or try to remove it?
>



Relevant Pages

  • Re: [Full-Disclosure] Removing ShKit Root Kit
    ... Im just curious to find out what this rootkit is about, ... - the attacker might have modified a standard root kit, ... kernel level tools where used and you are _running_ under the ...
    (Full-Disclosure)
  • Re: Protection against SuckIt rootkit
    ... temporary root access. ... Second the attacker installs a rootkit. ... Then you have to fix that security hole, then wipe and reinstall. ...
    (Debian-User)
  • Re: [Full-Disclosure] Removing ShKit Root Kit
    ... the past security admin did nothing hence theres a rootkit. ... sockets calls in there that dont belong. ... > - the attacker might have modified a standard root kit, ...
    (Full-Disclosure)
  • Re: rootkit question
    ... It cannot be "infected" but a rootkit can be installed. ... Once an attacker can login and breaks the super-user password, ... he can install a rootkit on the system and edit the system logs to hide his ... account that has no shell login and even run it in a chroot jail. ...
    (alt.os.linux)
  • Re: How do I protect against rootkits
    ... access control policies, which may be effective against simple attacks ... a rootkit is the second stage of a attack. ... attacker has to attack some existing exploit. ... SELinux for example doesn't close a existing exploit in a service, ...
    (comp.os.linux.security)