Actually, it didn't cost me anything, but that's irrelevant. The reason I
found the "infected" files in my /tmp directory, in the first place, was
that AntiVir spotted them, and chkrootkit hasn't spotted them anywhere
else.
You are right, though...I probably do need to reinstall...but I'd still
like to know exactly how they got in.
On Sun, 14 Sep 2003, Ethan Benson wrote:
> On Sun, Sep 14, 2003 at 10:47:50AM -0500, Mike Burger wrote:
> > I'll check out Axel's RPMs. If they're created against Red Hat's sources,
> > I'll probably be happy.
> >
> > Luckily for me, I have H+BEDV's AntiVir scanning my system, each night,
> > and it detects this type of thing, so I don't think the thing actually got
> > installed to where it can do any damage...but I want to be as safe as
> > possible.
>
> oh please. if there are peices of rootkit on your box then whether
> they installed it or not is IRRELEVANT, your box was compromised,
> period.
>
> you cannot know what they did or did not do, your only responsible
> recourse is a complete mkfs of all filesystems (i would dd the entire
> disk with zeros) and a reinstall, then to audit your latest backup of
> user data (do NOT restore ANY binaries).
>
> they could have installed a kernel module which will alter the
> behavior of arbitrary tools WITHOUT replacing any binary on your
> system, which means tripwire and the most expensive `antivirus'
> software will NOT be able to help you. don't think that such a module
> will show up in lsmod output either, or that its file is visible to
> you on the filesystem.
>
> your box has been compromised, you need to rebuild it.
>
>
--
Mike Burger
http://www.bubbanfriends.org
Visit the Dog Pound II BBS
telnet://dogpound2.citadel.org or http://dogpound2.citadel.org:2000
To be notified of updates to the web site, send a message to:
site-update-request@xxxxxxxxxxxxxxxxx
with a message of:
subscribe
|