Re: Rooted
From: Dale Pontius (dale_at_edgehp.invalid)
Date: 05/09/03
- Next message: Kasper Dupont: "Re: persistent vpn with pppd over ssh"
- Previous message: Dale Pontius: "Re: Rooted"
- Maybe in reply to: Dale Pontius: "Re: Rooted"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 09 May 2003 03:37:38 GMT
In article <3ea2a237$0$49100$e4fe514c@news.xs4all.nl>,
erik <erik@geenspam.vanwesten.net> writes:
> Bit Twister wrote:
>
>> On 20 Apr 2003 05:04:56 -0700, Adi wrote:
>>> My weekly chkrootkit output showed that ps,ls and netstat are
>>> infected, I may have the Ambient rootkit and also 2 hidden processes.
>>> Made a search for Ambient rootkit and I looked at this page
>>> http://www.linuxworld.com/linuxworld/lw-2001-04/lw-04-vcontrol_1.html
>>> Just as in that article, I have a /dev/ptyxx directory created
>>> yesterday and contains the files .addr, .file and .proc(no .log).
>>> Looking at the files, aparently the hacker has chosen to hide the
>>> process 'srm' and a couple of local ports as well as remote port
>>> 6667. I'm curious about just what this 'srm' program does...I
>>> understand that there is a 'secure file deletion' program by that
>>> name..but then
>>> if he wanted to delete files why not just use rm? It's in /usr/bin,
>>> I've tried to run it but no output.
>>> I guess there's no denying that I've been rooted, I was wondering if
>>> I could find out how it happened, and what damage has been done.
>>> I did notice yesterday that my Samba service started behaving weird
>>> and not accepting my password for the shares. It worked fine after I
>>> restarted it though.
>>
>> Since you gave no info on which distribution, release, service
>> and thier release level, we cannot help.
>>
>> I do have a recomendation or two:
>>
>> First, Unplug your system from the internet, Your machine is a menace
>> to society and you, until it's cleaned it up.
>>
>> Here is why you need a FORMAT and clean install when your box IS
>> cracked.
>> http://en.tldp.org/LDP/LG/issue36/kuethe.html
>> 4'th paragraph.
>>
>> Think about that paragraph.
>> You cannot use ANY of your pc's utilities to see if your box is
>> cracked and find what addtional files are installed.
>>
>> http://www.chkrootkit.org has a program for checking for rootkit
>> installs on the cracked box. That will tell you about known root kits
>> if you have one. The cracker may not have installed a rootkit.
>>
>>
>> What you can do is have a dual boot system. You install a second copy
>> of your OS and label it Auditor. You never, EVER mount it from the
>> internet OS.
>>
>> Some have suggested install on a seperate disk which is left unplugged
>> until you want to use it.
>>
>> Anytime you THINK you've been cracked, you can boot into Auditor,
>> mount the internet os partition and start checking the internet OS
>> partitions for new files and whatnot.
>>
>>
>
> Wrong suggestion. Who will prevent the cracker to mount the other
> partition? Correct. Nobody. _The_ way to go is us a secure loghost if
> one can afford it. For business use this is an absolute need. There
> simply is no better solution.
>
In general, I agree with the idea of a hotswap cradle for an extra
drive as being safer. But how about the idea of using boot parms to
pass in a fake geometry for the drive, making the current Linux boot
think that the drive is smaller than it really is. Then you couldn't
see that extra partition without a reboot. You'd probably need to
have 'noprobe' so the kernel knows *nothing* about the real geometry.
You'd probably also want a little unpartitioned space around where
you tell the driver the disk ends with the fake geometry - you don't
want it seeing a fraction of a filesystem.
Dale Pontius
- Next message: Kasper Dupont: "Re: persistent vpn with pppd over ssh"
- Previous message: Dale Pontius: "Re: Rooted"
- Maybe in reply to: Dale Pontius: "Re: Rooted"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
