Re: [cobalt-users] Hacked - Ambient's Rootkit for Linux ?

["Steve Werby" <steve-lists@xxxxxxxxxxxx>]

<cobalt@xxxxxxxxxxxxx> wrote:
> Is /var/log the only directory to backup if I wish to trace the hacker..
??

It's possible the hacker covered his tracks by deleting log records.  Also,
IIRC this rootkit makes it so syslogd doesn't log any connections from the
IP specified by the hacker.  /root/.bash_history might contain some info.
too.  Honestly, I've been cleaning systems with so many rootkits lately that
it's hard to keep them all straight.  And in some cases the hacker does more
to cover his tracks and/or I find multiple rootkits installed (not always
even necessarily by the same hacker).

> Has anyone got documentation on installing a Tripwire product on a RaQ4

I think the instructions for Tripwire in the included documentation are
pretty straightforward.  If you're running into a problem consider posting
the particular problem you're running into.  And this thread is probably
better suited for the cobalt-security list.  You may also want to look at
FCheck.  I consider it easier to install and work with, though Tripwire has
some advantages too.

> (this is the only way I believe I could have stopped this one).

Well, once you discover a rootkit you're server has already been owned so a
tool like Tripwire which reports changes in system files can alert you to
changes that may be the result of a rootkit and chkrootkit can alert you to
signs of a rootkit, but neither can stop the hacker from gaining access and
installing the rootkit.  I hope that's clear.

--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/