<[EMAIL PROTECTED]> wrote: > Here are the symptoms... > from chkrootkit: > Checking `lkm'... You have 1 process hidden for ps command > Warning: Possible LKM Trojan installed > And really weird... from the "locate" command... > [root /home]# locate crypto > /home/susr/doc/python-docs-1.5.2/Doc/libcrypto.tex > Now we know this should be: > [root /home]# locate crypto > /usr/doc/python-docs-1.5.2/Doc/libcrypto.tex > and in fact the file is where it's supposed to be. > When we first saw this we thought we were lucky; that we'd found the > hacker because the slocate update was running at the moment he was > hacking, and we started looking at those files... until we realized > locate returned something weird like this for EVERY file on the box that > didn't already start with /home/s > Here's the scenario... > We restore the box. It's good. > We restore the sites (CMU). Good. > The next day it has the symptoms again. > Any help/ideas/requests for consulting work <smile> greatfully > appreciated.
Suggestions: - When importing with CMU use the -p option so all the password will be changed, also change the default password in /etc/cmu/cobaltBase.xml (userPasswd). - Disable all cgi, ssi, asp, jsp, fpx or any other scripting langauge. - Run a sniffer detector on your network, to make sure he/she hasn't hack another box and is using it to sniff passwords. http://www.securiteam.com/tools/2GUQ8QAQOU.html - Put your own sniffer on the same subnet and log all traffic to the box. Jeff- _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
