[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] root kitted :(

Subject: Re: [cobalt-security] root kitted :(
From: jbrownlee@xxxxxxxxxxxxxxx
Date: Mon, 03 Dec 2001 09:56:44 -0700
Organization: Pima Community College
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

	Booting a kernel from ROM doesn't address the system binaries that have
been trojaned. In my experience, you'll need a ROM update patch to
update your kernel to something more recent. You might consider
installing and running a root-kit checker from chkrootkit.org. It may
also aid in recovering any hidden (but not deleted) entries in wtmp,
etc. Check the readme first, however, and note the dependancies on
system binaries that might, themselves, be trojaned. It's also a good
ideato look for services on 'weird' ports. NMAP is an excellent tool for
this purpose.
	Regardless, the way to solve this is the same: install the utilities
from a trusted source over the trojaned ones as a stopgap. Then
depending on how good your backups are and how certain you feel of your
intrusion time, consider a re-install of the core OS.
-- 

						John

John Brownlee
Senior Systems Administrator and "Network" Security Dude
Pima Community College
Phone: x4838

Prev by Date: SV: [cobalt-security] access_log
Next by Date: Re: [cobalt-security] who should own the /home/sites/home/users and /home/sites/home/web ?
Previous by thread: Re: [cobalt-security] root kitted :(
Next by thread: [cobalt-security] IDS and established TCP/UDP sessions

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index