Re: Phishing Attempt
- From: ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin)
- Date: Thu, 04 Oct 2007 14:40:57 -0500
On Thu, 04 Oct 2007, in the Usenet newsgroup comp.os.linux.security, in article
<4704218d$0$29251$ba620e4c@xxxxxxxxxxxxxx>, goarilla wrote:
Moe Trin wrote:
it doesn't show up in the list of malware searched for in the
windoze-wannabe "tools" chkrootkit or rkhunter.
little question: are you implying chkrootkit and rkhunter are well ...
snakeoil
The main parts of both tools are rather extensive shell scripts. A lot
of people run them in the hope that they might discover something. They
usually find some innocent indication, and false alarm on that. If you
do a search in the news groups archives, you'll find lots of indications
of false alarms, and few IF ANY reports of actually finding real rootkits.
and totally unnecessary as security tools ?
s/unnecessary/useless/ Both "tools" search for the '55808'
worm (a distributed port scanner from June 2003) by looking for a file
named '/tmp/.../a' or '/tmp/.../r'. If the "tools" find either, you
must have the 55808 worm - and conversely if they don't find those
specific files, you don't have the worm (that's been toned down now,
and they merely report "not found"). You are of course sure that the
mal-ware author would _never_think_ of changing the file name to
ANYTHING other than '/tmp/.../a' or '/tmp/.../r', right?
i'm curious that's all
Searching for things that happened in the past (searching for the
'ramen' worm from 2001 which attacked unmaintained Red Hat 6.2 systems)
and expecting the mal-ware to be unchanged is fairly useless. Do you
know anyone still running wu-ftpd-2.6.0 or earlier? A more suitable
tool would be a real IDS - something based on the concepts of
'tripwire' (which took a snapshot of message digests [such as md5sum
_and_ others] of your system, allowing you to compare what it looked
like before verses now) are much more likely to detect problems with
much less of a chance of false alarms.
Actually, this looks more as if the host 58.105.225.59 is/was being used
i would recommend to take an image of the system and sent it to a
computer security group like the FBI or something (i don't know where
you're from)
http://www.iana.org/assignments/ipv4-address-space
Takes a few seconds to find that 58.105.225.59 is in the Melbourne area.
you could also let your system just run and increase logging (sort of
turning this system in an evidence collecting machine) by applying some
iptables rules and editing syslog.conf
I suspect his ISP might not be pleased with that. As of Tuesday, that
address range wasn't showing up on news.admin.net-abuse.* and I'm sure
they're happy about that. Lots of network administrators have private
blocklists, and once in them, it's often very hard to get de-listed.
the hacker doesn't seem to be very skilled
Hard to say - the provided script snippet is quite small and isn't
needing to do anything complicated.
install the same system on another machine, index system tools by
taking md5sums and check them on the compromised machine.
This is MUCH better than chkrootkit or rkhunter, but is still subject
to errors, and won't find processes running in RAM and not on the disk.
Old guy
.
- Follow-Ups:
- Re: Phishing Attempt
- From: goarilla
- Re: Phishing Attempt
- References:
- Phishing Attempt
- From: Mark
- Re: Phishing Attempt
- From: Mark
- Re: Phishing Attempt
- From: Moe Trin
- Re: Phishing Attempt
- From: goarilla
- Phishing Attempt
- Prev by Date: Re: Phishing Attempt
- Next by Date: Re: User access & security
- Previous by thread: Re: Phishing Attempt
- Next by thread: Re: Phishing Attempt
- Index(es):
Relevant Pages
|
