On Mon, Dec 03, 2001 at 09:33:07AM +1100, Jason Lim wrote: > Hi, > > sigh... yes... some of our servers have been hit with the "SSH CRC-32 > compensation attack detector vulnerability" attack. > > some servers have been compromised, and the usual rootkit stuff (install > root shells in /etc/inetd.conf, bogus syslogd, haxored ps, etc.). > > What is an easy way to locate binaries that are different from the ones > provided in the original debs?
You *are* running either tripwire, or aide, right? :( > And is there any other relatively easier way of cleaning up a system that > has had a rootkit installed? debsums will help you with identifying if a binary changed, but if something was added, you will never know unless you stumble off of it. > We've done a netstat -a and removed/killed all strange processes, and > cleaned inetd.conf as much as we can, but some of the programs in > inetd.conf have themselves also been tampered with (eg. in.telnetd). > > Please help... I have a bad feeling the crackers are coming back real soon > to really finish off the job... so any help at this time in removing all > their crap would be greatly appreciated. I'm really going to have to write up something on securing a machine. There is no such thing as an uncrackable machine, but your job of cleaning it up can be a little easier if you prepare ahead of time for it. Tim -- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< >> Tim Sailer (at home) >< Coastal Internet, Inc. << >> Network and Systems Operations >< PO Box 671 << >> http://www.buoy.com >< Ridge, NY 11961 << >> [EMAIL PROTECTED][EMAIL PROTECTED] >< (631) 924-3728 << >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
