[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] What do do if a raq4 is infected ?
- Subject: Re: [cobalt-security] What do do if a raq4 is infected ?
- From: Gareth Bromley <gbromley@xxxxxxxxxxx>
- Date: Fri, 20 Jun 2003 08:34:28 +0100 (BST)
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
On Fri, 20 Jun 2003, Bob Lenaerts wrote:
> Hi all,
> I have this as output
> What can I do about that ?
You could try and manually recover, however your wasting your time.
The exploit (the way they got in) is still going to be there, and what
over backdoors exist on the system. Really you'll want to if possible get
an image of the system for forensic analysis to see how they got in, to
help develop the corrective action to stop this hapening again.
Discconnect the box, rebuild from known good, patch, harden, secure,
reconnect.
> Can I for ex. delete Ifconfig , and reinstall ifconfig from a pkg ?
> Checking `ifconfig'... INFECTED
> Checking `login'... INFECTED
> Checking `pstree'... INFECTED
> Possible t0rn v8 (or variation) rootkit installed
> Searching for Showtee... Warning: Possible Showtee Rootkit installed
> Checking `lkm'... You have 4 process hidden for ps command
> Warning: Possible LKM Trojan installed
Looks like they've infected a far set of files. Strange that netstat
wasn't infected, however it looks like they used the Kernel Module based
rootkit to hide processes etc.
Best of luck
Gareth