[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] chkrootkit output show possible ambient

Subject: Re: [cobalt-users] chkrootkit output show possible ambient
From: "Steve Werby" <steve-lists@xxxxxxxxxxxx>
Date: Wed Nov 20 08:52:58 2002
Organization: Befriend Internet Services LLC
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

"alan@" <alan@xxxxxxxxx> wrote:
> I am going to check out what the ARK actually does and how, before I go
> panicking,

Keep in mind that rootkits are designed to obtain elevated permissions and
cover the hacker's tracks.  Even if you know what scripts a rootkit installs
and runs and what programs it installs, deletes, modifies and relinks, you
can't be certain what the hacker did manually after that.  I've seen plenty
of hackers use the same rootkit and some installed IRC programs, some
downloaded password files, some uploaded files for others to download and
some deleted files and changed passwords.  Just something to keep in mind.

> as I said, "somebody" changed the admin password, but there is no
> guarantee that it was a hacker.

You may be able to correlate a login to the GUI or the shell with the
date/time the password was changed, assuming the logs haven't been
rotated/deleted and weren't overwritten and a rootkit didn't block logging
from the hacker's IP or username (like some rootkits do).  See logs in
/var/log/ for details.

> This is the problem when coming late to a
> project, every body denies everything.
> This server has however got all the patches installed (I just installed
the
> last 2 myself) and it has ssh 3.1 and telnet is turned off.

Sounds like you need to upgrade SSH.  See pkgmaster.com or download and
compile the latest from openssh.org yourself.

> I will be installing ip chains etc but I want to make sure there isn't a
> back door first.

And don't just install it - actually configure it to allow access only to
ports that are necessary and if possible only from specific IPs or subnets.
That last statement probably sounds silly, but I've done work on a fair
number of machines where IPCHAINS was installed, but there were no rules
active - sort of like having a home security system plugged in, but not
having leads to any of the doors and windows and leaving the motion
detectors in the box.

--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/

References:
- [cobalt-users] chkrootkit output show possible ambient
  - From: alan@
- Re: [cobalt-users] chkrootkit output show possible ambient
  - From: Richard Siddall
- Re: [cobalt-users] chkrootkit output show possible ambient
  - From: alan@
- Re: [cobalt-users] chkrootkit output show possible ambient
  - From: alan@

Prev by Date: Re: [cobalt-users] Backup E-mail service on raq4
Next by Date: Re: [cobalt-users] chkrootkit output show possible ambient
Previous by thread: Re: [cobalt-users] chkrootkit output show possible ambient
Next by thread: Re: [cobalt-users] chkrootkit output show possible ambient

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index