Re: Have I been kitted?

From: Patrick Andry (pandry@wolverinefreight.ca)
Date: 06/12/02


Date: Wed, 12 Jun 2002 08:33:53 -0400
From: Patrick Andry <pandry@wolverinefreight.ca>
To: focus-linux@securityfocus.com

You should probably re-install, but if it's at all possible, keep the
box around and try to figure out a number of things:

How the attacker got in.
What Rootkit was installed.
What did the rootkit do (transfer files, create a backdoor, etc..)
Who the attacker was.

Just putting the box back up from source media won't do any good if the
source media has a security hole in it.

Does anyone know of any processes which are hidden by design from ps,
but are not trojans/malware?

> What is the best strategy for dealing with an LKM kit? Reinstall
> linux from CD or try to remove it?
>



Relevant Pages

  • Re: [Full-Disclosure] Removing ShKit Root Kit
    ... Im just curious to find out what this rootkit is about, ... - the attacker might have modified a standard root kit, ... kernel level tools where used and you are _running_ under the ...
    (Full-Disclosure)
  • Re: Protection against SuckIt rootkit
    ... temporary root access. ... Second the attacker installs a rootkit. ... Then you have to fix that security hole, then wipe and reinstall. ...
    (Debian-User)
  • Re: [Full-Disclosure] Removing ShKit Root Kit
    ... the past security admin did nothing hence theres a rootkit. ... sockets calls in there that dont belong. ... > - the attacker might have modified a standard root kit, ...
    (Full-Disclosure)
  • Re: rootkit question
    ... It cannot be "infected" but a rootkit can be installed. ... Once an attacker can login and breaks the super-user password, ... he can install a rootkit on the system and edit the system logs to hide his ... account that has no shell login and even run it in a chroot jail. ...
    (alt.os.linux)
  • Re: zkmem virus
    ... While it may remove the standard rootkit, it will not cope with the other ... backdoors left by an attacker who already got access to your system. ... I just ran chkrootkit and it found zk rootkit. ...
    (alt.linux)