Re: Found, a new rootkit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sunday 02 April 2006 12:06 am, Gene Heskett wrote:
> >Since the attacker wrote to /usr I'd be looking at how he got to be
> > root.
>
> We haven't found that yet.  We're still looking over the forensic copy
> we made of that drive with dd.  And roots password was alpha-numeric,
> longer than most and certainly not susceptable to a dictionary attack.
> Interesting, since you made the comment re the compiler being handy, is
> that it wasn't used to install the irc botnet kit, only a shell, gzip,
> chmod & cp were used for that according to the install script we read.

I'd suggest that if you have time, format the box clean and start a fresh 
install. In my opinion, once a box has been compromised, we can never trust 
it anymore, not even after checking it with any anti-rootkits available.
CMIIW,
-- 
Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial 
http://linux2.arinet.org
02:59:24 up 9:30, 2.6.15-1.1830_FC4 GNU/Linux 
Let's use OpenOffice. http://www.openoffice.org


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux