Re: exploit or human

From: Eduardo Kienetz (eduardok_at_gmail.com)
Date: 03/31/05


Date: Thu, 31 Mar 2005 17:59:33 -0300
To: Cristian Stanca <cristian.stanca@radcom.ro>

On Thu, 31 Mar 2005 18:14:49 +0200, Victor Calzado <vcalzado@gmail.com> wrote:
> Hi,
>
> Valentin Avram wrote:
>
> >Hello.
> >
> >Most of the symptoms you describe and the "sudden" falling of more
> >systems does point to a rootkit that was installed on the first
> >compromised machine (FC2). That machine might have been later used to
> >gain access to the other servers in your network.
> ...
> >Also the failure to restart the server
> >usually is a consequence of that. One way to make that sure is to get
> >the hdd from the possibly compromised machine, put it on an offline
> >system which has rkhunter (or other rootkit-detection software)
> >installed and check it. After the signs you described, it quite very
> >probably you'll find a rootkit.
> >
> >RH's before RHEL are ok (from the stability point of view) as long as
> >you keep the exposed services uptodate (recompilation from source).
> >Don't use the old software they come with, cause you might just open a
> >door to your system.
>...
> I'm sorry but probably you will find more infected systems all over your
> network. You will probably need to reinstall every compromised server
> and any content recovered from an "infected" system should be scanned
> for viri and checked for rootkits.

Run chkrootkit: http://www.chkrootkit.org

Regards,

-- 
Eduardo  Bacchi Kienetz
http://www.noticiaslinux.com.br/eduardo/


Relevant Pages

  • Re: Server hacked?
    ... There seems to be some kind of rootkit running on your server. ... Active Internet connections ...
    (Ubuntu)
  • Re: exploit or human
    ... so on) while some other software runs just fine makes the rootkit ... the hdd from the possibly compromised machine, ... before making any server accessible from the Internet. ... What is interesting is that this hard-disk failure ...
    (Incidents)
  • Re: w3k server
    ... I would check out the rootkit tool from http://www.sysinternals.com there ... >> You don't clean rootkits. ... >>> I am convinced my server has been compromised. ... >>> its registry entries and files. ...
    (microsoft.public.windows.server.general)
  • Re: User access & security
    ... rootkit of some sort and totally compromise the system. ... or the root account has no password because it's to hard to type the ... server - must be OK!" ...
    (comp.os.linux.security)
  • Re: User access & security
    ... rootkit of some sort and totally compromise the system. ... you want your users to be able to do (permissions permissions ... server - must be OK!" ...
    (comp.os.linux.security)