Re: RST.B .... can anyone shed some light?
From: Rick Moen (rick_at_linuxmafia.com)
Date: 01/17/05
- Next message: Jim Richardson: "Re: Compromised user account, consequences?"
- Previous message: Rick Moen: "Re: How to scp to machine with no root account?"
- In reply to: twism78_at_gmail.com: "RST.B .... can anyone shed some light?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 17 Jan 2005 00:23:16 GMT
twism78@gmail.com wrote:
> My name is Dave Rosendahl, and unfortunately it seems one of my
> company's servers has been hit by the RST.B virus.
No, it wasn't. RST.B (Remote Shell Trojan, variant B), in itself, lacks
the ability to break into anything. Judging by your account, someone
_ran_ it on your local system, thereby appending it to one or more
binary. (You haven't bothered to tell us why you believe the thing to
be present, or where.)
If you mean you detected it in a privileged system binary, then whoever
put it there must have done so using a privileged login. For example,
an intruder who broke in using other means might have installed a
rootkit that included a copy of RST.B, installing the latter as a
modification to system binaries in order to keep its (RST.B's) UDP-based
backdoor access open.
If all you have is some fool running a RST.B-infected binary in his own
home directory, it's pretty much a non-problem. (He's injured only
himself, really.) On the other hand, if it's in something with
system-level authority (root-user or similar), then you need to worry:
As always with rootkits and other post-attack tools, what you as the
sysadmin should be thinking about is not the post-attack tools but
rather...
o recovery from the root compromise
o prevention of repeats
o hardening the system against similar attacks
o defence in depth
o identification of the attacker (optional)
o detection of future incursions
That's my laundry-list from my old IDG security article,
http://security.itworld.com/4352/LWD000829hacking/pfindex.html
My analysis of all known Linux malware, including RST:
http://linuxmafia.com/~rick/faq/index.php?page=virus#virus5
-- Cheers, Hardware: The part you kick. Rick Moen Software: The part you boot. rick@linuxmafia.com
- Next message: Jim Richardson: "Re: Compromised user account, consequences?"
- Previous message: Rick Moen: "Re: How to scp to machine with no root account?"
- In reply to: twism78_at_gmail.com: "RST.B .... can anyone shed some light?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
