loki wrote: >>> ...and a rootkit was installed. >> A very interesting story. I'm interested how a regular user was able to >> install a rootkit. I realize that you may not know. > > Didn't have the time to analyse that but I presume through privilege > escalation. > Cause this user had direct access to the running service. Another > possibility would > be through kernel modules. > >>> When I logged in and tried to ls I saw that ls gave me a segmentation >>> fault error. After some more minutes I saw that there are some files >>> that I didn't install. >> Can you say what the file names/locations were? > > Can't remember anymore. I have it saved somewhere. But one of the tools > I never install is netstat. The changed apps where ls, ps, dir. When I analyse > it I will get back to you.
Yes, I've seen where corrupted versions of those do not display the hacker's files or processes. One way to get around a corrupted ls is to use `echo *`. >> May I suggest tripwire. It does require a bit of work when files are >> updated, but will catch this sort of thing. > Am using it but for this server there was no time to install it. Wanted to do > it later but never had the time. Unfortunatly tripwire can't help > with a kernel module hack. It can check if a .ko file has changed in any way. > For me the only real safeguard is chroot, iptables and no kernel > modules. For most servers they aren't needed anyway. Exactly. -- Bruce -- http://linuxfromscratch.org/mailman/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/lfs/faq.html Unsubscribe: See the above information page
