-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 22 May 2006 13:12:31 +0100 James Wilkinson <fedora@xxxxxxxxxxxxxxxxxxx> wrote: > CodeHeads wrote: > > If I completely redid "both" machines how can I have a root kit??? > > *Exactly* the same way you had one before. You had a vulnerability > before, through which an attacker broke in and installed a root kit. If > you then installed the same software from scratch, obviously you will > have reinstalled the vulnerability. The attacker can then use exactly > the same exploit to get in. > > As for "how it happened" so quickly, remember that the attacker knows > that there has been a history of vulnerable computers at that IP > address [1] -- so it's worth trying the same tricks (and related tricks) > again. > > It wouldn't be that difficult to write a "control program" that checked > to see which computers it "0wnz", and which of them are on-line. If a > computer goes off-line, it could keep an eye on that IP address or DNS > name (and possibly nearby ones) to see if a "cleaned" computer came back > on-line -- in which case, it would want to re-install the rootkit before > the legitimate administrator could install a fix. > > You *really* need to rethink your software. yum update won't help for > this -- you will need to change to a more secure package, if there > aren't any fixed versions. > > James. > > [1] If I remember right, we think the vulnerability was in a web > server-side script. That sort of implies a website, DNS resolution, and > probably fixed IP addresses. > James, thanks!! :) I kinda figured that. I did find a lot of information doing searching on google, (man's best friend). I will have to get all the info together and post it and see what everyone thinks. Hopefully that will happen today sometime. Thanks everyone who helped. :) Will -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEcdF5fw3TK8jhZrsRAvsfAKCi3VFxaHpxooMhQZqZMF/L/BjRxgCeNpcG kDa2zzW7PyMIlupP9XkMh0c= =0+hn -----END PGP SIGNATURE-----
