[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] February Hack Update

Enure that as a minimum you restore ls first.
It will help then, PS, netstat chown, chmod etc...
Also check rc.sysinit and rc.local.
This is possible, however no one will recommend or guarantee the box's serviceability after. 
Unless you look everywhere there is always a chance you missed a trojan horse.

This is a start.
http://www.chkrootkit.org/

Here is what you are up against.
http://packetstorm.securify.com/UNIX/penetration/rootkits/

At 11:36 AM 3/5/2001 -0500, you wrote:

> most rootkits install trojaned versions of _at least_ ps and netstat
> you are likley opening up more holes to your attacker than you did before
by
> running those files.

You could portscan the server from a remote location to ensure that no stray
ports are open. While restoring all binaries would be the best solution, its
not always practical, and restoring just key binaries (su, bash, login, sh,
netstat, ps, etc.) could do the trick.

Kevin

_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security