Re: exploit or human
From: Eduardo Kienetz (eduardok_at_gmail.com)
Date: Thu, 31 Mar 2005 17:59:33 -0300 To: Cristian Stanca <firstname.lastname@example.org>
On Thu, 31 Mar 2005 18:14:49 +0200, Victor Calzado <email@example.com> wrote:
> Valentin Avram wrote:
> >Most of the symptoms you describe and the "sudden" falling of more
> >systems does point to a rootkit that was installed on the first
> >compromised machine (FC2). That machine might have been later used to
> >gain access to the other servers in your network.
> >Also the failure to restart the server
> >usually is a consequence of that. One way to make that sure is to get
> >the hdd from the possibly compromised machine, put it on an offline
> >system which has rkhunter (or other rootkit-detection software)
> >installed and check it. After the signs you described, it quite very
> >probably you'll find a rootkit.
> >RH's before RHEL are ok (from the stability point of view) as long as
> >you keep the exposed services uptodate (recompilation from source).
> >Don't use the old software they come with, cause you might just open a
> >door to your system.
> I'm sorry but probably you will find more infected systems all over your
> network. You will probably need to reinstall every compromised server
> and any content recovered from an "infected" system should be scanned
> for viri and checked for rootkits.
Run chkrootkit: http://www.chkrootkit.org
-- Eduardo Bacchi Kienetz http://www.noticiaslinux.com.br/eduardo/