[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Running Rootkit and the result
- Subject: Re: [cobalt-security] Running Rootkit and the result
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Mon, 2 Jul 2001 18:57:29 +0200
- Organization: Stauber Multimedia Design
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Robson,
> I runned rootkit and i got:
> Searching for t0rn's default files and dirs... Possible t0rn rootkit
> installed
> What do i do to remove?
Now that's hard to give do-it-yourself instructions on, as T0rn comes in
different manifestations and who knows what else unwanted visitors did to
your box. The safe way to go is to do an OS restore and to start over. Or to
ask for professional help to clean the box out.
I've got quite some experience with removing T0rn. So far I pulled it from
six or seven owned RaQ's and one RH 6.2 server. It's possible to do this
without OS restore and it usually takes between 60 and 90 minutes. This
includes reinstalling system binaries from RPM's which T0rn replaces, as well
as checking start-scripts, file- and user-permissions, open sockets and
suspicious files.
After that you got a restored system, with all the latest patches, with
Logwatch, Portsentry and IPchains installed.
--
Mit freundlichen Grüßen / Best regards
Michael Stauber
Stauber Multimedia Design ____ Phone: +49-6471-923812
Hauptstrasse 31 ______ D-56244 Goddert ______ Germany
SMD.NET ___ SOLARSPEED.NET ___ FORUMWORLD.COM