Re: How to detect a trojan on a Unix server?
From: Juergen P. Meier (news-reply@news.jors.net)Date: 05/30/02
- Next message: mack23 : "Re: secure UNIX log server"
- Previous message: Lassi Hippeläinen: "Re: IP address <--> Global Positioning System (GPS)"
- In reply to: Ryo Furue: "How to detect a trojan on a Unix server?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Juergen P. Meier" <news-reply@news.jors.net> Date: Thu, 30 May 2002 11:54:34 +0000 (UTC)
followup to Ryo Furue:
> A user reported that when she connected to our FTP server, the Norton
> security software on her PC said that the PC got a Trojan attack from,
Does that user perhaps said this ``attack'' targets port 113? In that
case its a false alarm (as usual with Personal Firewall crap) - your
FTP server just uses the Ident protocol. (see RFC 1413 for details)
Or does that User try to do directory-listings or download files and
that does not work while here Norton crapware reports "attacks" from
port 20 to high ports? (hit her with RFC 959).
> say, 1.11.11.111 (This is a fictious IP address), which is the FTP
> server's IP address. I'm worried because I'm an admin of the server.
> Does this mean that the server has some malicious software installed
> which scans the ports of hosts connecting to it? How can I examine
> what's going on? Could some kind soul refer me to some information
> sources? The server is a Sun Ultra 1 with Solaris 2.5.1.
The only *sure* way to detect a trojan horse is a Post Mortem
Anlaysis, which implies that the FTP-server needs to be taken offline
powered down and then bootet from a safe medium (i.e. CDRom), so you
can use the tools on that medium (i.e. CDRom) to analyze the contents
of our Harddisk. This is nessecary because you cannot trust any
programm on your harddisk to show you correct information. Modern
rootkits modify almost any useful programm on the "infected" machine
so that the Admin can no longer use these tools to find the trojan
horse.
Since many scriptkiddies and their rootkits are far from perfect,
there exitsts a tool called chkrootkit that can be run on the
suspected server and report many imperfect rootkits. When this does
not find anything it does not mean you are clean however ;)
RFC documents are available at various locations including
http://www.ietf.org/rfc.html
Juergen
-- begin signature: Juergen P. Meier - "This World is about to be Destroyed!" This is it. Nothing more to come. There is no more text. It's the end
- Next message: mack23 : "Re: secure UNIX log server"
- Previous message: Lassi Hippeläinen: "Re: IP address <--> Global Positioning System (GPS)"
- In reply to: Ryo Furue: "How to detect a trojan on a Unix server?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
