CodeHeads wrote:
> If I completely redid "both" machines how can I have a root kit???
*Exactly* the same way you had one before. You had a vulnerability
before, through which an attacker broke in and installed a root kit. If
you then installed the same software from scratch, obviously you will
have reinstalled the vulnerability. The attacker can then use exactly
the same exploit to get in.
As for "how it happened" so quickly, remember that the attacker knows
that there has been a history of vulnerable computers at that IP
address [1] -- so it's worth trying the same tricks (and related tricks)
again.
It wouldn't be that difficult to write a "control program" that checked
to see which computers it "0wnz", and which of them are on-line. If a
computer goes off-line, it could keep an eye on that IP address or DNS
name (and possibly nearby ones) to see if a "cleaned" computer came back
on-line -- in which case, it would want to re-install the rootkit before
the legitimate administrator could install a fix.
You *really* need to rethink your software. yum update won't help for
this -- you will need to change to a more secure package, if there
aren't any fixed versions.
James.
[1] If I remember right, we think the vulnerability was in a web
server-side script. That sort of implies a website, DNS resolution, and
probably fixed IP addresses.
--
E-mail address: james | Examiner: How does an AC motor start?
@westexe.demon.co.uk | Student: vrrrrrrrrrrRrRRRRRRR...
| Examiner: Stop! Stop!
| Student: RRRRRRRmmmmm.
