On Sun, Sep 14, 2003 at 09:41:47PM -0500, Mike Burger wrote:
> Actually, it didn't cost me anything, but that's irrelevant. The reason I
> found the "infected" files in my /tmp directory, in the first place, was
> that AntiVir spotted them, and chkrootkit hasn't spotted them anywhere
> else.
>
> You are right, though...I probably do need to reinstall...but I'd still
> like to know exactly how they got in.
do your forensics before reinstall, but do it with the box OFFLINE.
or make an image of the disk if you have space somewhere.
> On Sun, 14 Sep 2003, Ethan Benson wrote:
>
> > On Sun, Sep 14, 2003 at 10:47:50AM -0500, Mike Burger wrote:
> > > I'll check out Axel's RPMs. If they're created against Red Hat's
> > > sources,
> > > I'll probably be happy.
> > >
> > > Luckily for me, I have H+BEDV's AntiVir scanning my system, each night,
> > > and it detects this type of thing, so I don't think the thing actually
> > > got
> > > installed to where it can do any damage...but I want to be as safe as
> > > possible.
> >
> > oh please. if there are peices of rootkit on your box then whether
> > they installed it or not is IRRELEVANT, your box was compromised,
> > period.
> >
> > you cannot know what they did or did not do, your only responsible
> > recourse is a complete mkfs of all filesystems (i would dd the entire
> > disk with zeros) and a reinstall, then to audit your latest backup of
> > user data (do NOT restore ANY binaries).
> >
> > they could have installed a kernel module which will alter the
> > behavior of arbitrary tools WITHOUT replacing any binary on your
> > system, which means tripwire and the most expensive `antivirus'
> > software will NOT be able to help you. don't think that such a module
> > will show up in lsmod output either, or that its file is visible to
> > you on the filesystem.
> >
> > your box has been compromised, you need to rebuild it.
> >
> >
>
> --
> Mike Burger
> http://www.bubbanfriends.org
>
> Visit the Dog Pound II BBS
> telnet://dogpound2.citadel.org or http://dogpound2.citadel.org:2000
>
> To be notified of updates to the web site, send a message to:
>
> site-update-request@xxxxxxxxxxxxxxxxx
>
> with a message of:
>
> subscribe
>
--
Ethan Benson
http://www.alaska.net/~erbenson/
pgphA3pN7Dgcl.pgp
Description: PGP signature
|