[KLUG Members] Re: Possible root compromise

Bob Kanaley members@kalamazoolinux.org
Tue, 12 Mar 2002 10:58:44 -0500

Previous message: [KLUG Members] Spam and Tagged Message Delivery Agent
Next message: [KLUG Members] TWIG + Php
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If you didn't completely reinstalled your OS, it would probably be a really
good idea to run chkrootkit (http://www.chkrootkit.org/) and point the path
to binaries on a BSWare or RedHat CDRom . Then use rpm to check the
signatures of your RedHat packages.
.
When my old SMTP server got cracked, I couldn't immediately shut it down.
So, from a trusted machine, I downloaded a static linked binary of lsof to
look for any backdoor activity, then I ran rpm checks on my OS followed by
chkrookit. Once I was pretty sure I hadn't been rootkitted, I methodically
upgraded my security infrastructure and retired that server.

> From: "Owner" <owner@inetplus.net>
> To: <members@kalamazoolinux.org>
> Date: Sun, 10 Mar 2002 10:30:05 -0500
> Subject: [KLUG Members] Question about spam..
> Reply-To: members@kalamazoolinux.org

<SNIP>
>a few weeks
> ago I had a server that got compromised by someone using the alias
"MAILMAN"
> you can reach me at hahah this list...by the way I was running redhat 7.2
> with out telnet running also no smtp on this particular server. he used an
> exploit to get root access.. only took him 2 mins to completely F&&*
things
> up.. pretty nice of him..
> JP

Previous message: [KLUG Members] Spam and Tagged Message Delivery Agent
Next message: [KLUG Members] TWIG + Php
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]