Security Incidents mailing list archives

Re: exploit or human

From: Eduardo Kienetz <eduardok () gmail com>
Date: Thu, 31 Mar 2005 17:59:33 -0300

On Thu, 31 Mar 2005 18:14:49 +0200, Victor Calzado <vcalzado () gmail com> wrote:

Hi,

Valentin Avram wrote:

Hello.

Most of the symptoms you describe and the "sudden" falling of more
systems does point to a rootkit that was installed on the first
compromised machine (FC2). That machine might have been later used to
gain access to the other servers in your network.

...

Also the failure to restart the server
usually is a consequence of that. One way to make that sure is to get
the hdd from the possibly compromised machine, put it on an offline
system which has rkhunter (or other rootkit-detection software)
installed and check it. After the signs you described, it quite very
probably you'll find a rootkit.

RH's before RHEL are ok (from the stability point of view) as long as
you keep the exposed services uptodate (recompilation from source).
Don't use the old software they come with, cause you might just open a
door to your system.

...
I'm sorry but probably you will find more infected systems all over your
network. You will probably need to reinstall every compromised server
and any content recovered from an "infected" system should be scanned
for viri and checked for rootkits.


Run chkrootkit: http://www.chkrootkit.org

Regards,

-- 
Eduardo  Bacchi Kienetz
http://www.noticiaslinux.com.br/eduardo/

Current thread:

exploit or human Cristian Stanca (Mar 29)
- RE: exploit or human andrew2 (Mar 29)
  - Re: exploit or human Kevin Reardon (Mar 30)
- Re: exploit or human Tim (Mar 30)
- Re: exploit or human Valentin Avram (Mar 30)
  - Re: exploit or human Victor Calzado (Mar 31)
    - Re: exploit or human Eduardo Kienetz (Mar 31)
    - Re: exploit or human Juri Haberland (Mar 31)
- Re: exploit or human Ben Nelson (Mar 30)