Re: [cobalt-security] One weird HaQ... have you seen this..

[Jeff Bilicki <jeff@xxxxxxxxxxx>]

<3C681435.28934187@xxxxxxxxxxxxx> wrote:
> Here are the symptoms...
> from chkrootkit:
>   Checking `lkm'... You have     1 process hidden for ps command
>   Warning: Possible LKM Trojan installed
> And really weird... from the "locate" command...
>   [root /home]# locate crypto
>   /home/susr/doc/python-docs-1.5.2/Doc/libcrypto.tex
> Now we know this should be:
>   [root /home]# locate crypto
>   /usr/doc/python-docs-1.5.2/Doc/libcrypto.tex
> and in fact the file is where it's supposed to be.
> When we first saw this we thought we were lucky; that we'd found the
> hacker because the slocate update was running at the moment he was
> hacking, and we started looking at those files... until we realized
> locate returned something weird like this for EVERY file on the box that
> didn't already start with /home/s
> Here's the scenario...
> We restore the box.  It's good.
> We restore the sites (CMU).  Good.
> The next day it has the symptoms again.
> Any help/ideas/requests for consulting work <smile> greatfully
> appreciated.

Suggestions:
- When importing with CMU use the -p option so all the password will be 
changed, also change the default password in /etc/cmu/cobaltBase.xml 
(userPasswd).

- Disable all cgi, ssi, asp, jsp, fpx or any other scripting langauge.

- Run a sniffer detector on your network, to make sure he/she hasn't hack another
box and is using it to sniff passwords.
http://www.securiteam.com/tools/2GUQ8QAQOU.html

- Put your own sniffer on the same subnet and log all traffic to the box.

Jeff-