[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] pkg.nl.cobalt - Open SSH
- Subject: Re: [cobalt-users] pkg.nl.cobalt - Open SSH
- From: Bill Gunning <bgunning@xxxxxxxxxxxxxxx>
- Date: Tue Jan 15 06:51:05 2002
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Where did you find the rootkit and what was it called?
Bill
At 08:21 PM 1/14/2002 -0800, you wrote:
>_ cbtrussell _ wrote:
>
>> So how did you know you were compromised? How did they get in? (I'm asking
>> because I'm trying to learn to identify the signs....)
>
>Because I was sitting at my system at the time it happened, and all of a
>sudden I couldn't log in to check email anymore (I check email on their
>system every five minutes, as a kind of rudimentary "ping" of the
>connection).
>
>I found the rootkit...
>
>> >I have a copy of the rootkit, it was left on the machine for others to
>> >download <frown>, but I don't think I'm going to give it to anyone.
>
>I ended up not downloading the rootkit, and...
>
>> Did you/are going to just do a fresh restore?
>
>once we found the rootkit was NOT in userspace, we used CMU, restored
>the system, and then restored the CMU. Everything worked fine. But we
>did manage to "lose" the rootkit. Which appears to be an LKM that was
>too new or too different to be caught by chkrootkit.
>
>Jeff
>--
>Jeff Lasman <jblists@xxxxxxxxxxxxx>
>Linux and Cobalt/Sun/RaQ Consulting
>nobaloney.net
>P. O. Box 52672, Riverside, CA 92517
>voice: (909) 778-9980 * fax: (702) 548-9484
>
>_______________________________________________
>cobalt-users mailing list
>cobalt-users@xxxxxxxxxxxxxxx
>To Subscribe or Unsubscribe, please go to:
>http://list.cobalt.com/mailman/listinfo/cobalt-users
>
>