On Mon, Apr 09, 2001 at 12:16:18PM -0700, Erik Abella wrote: > Hello All, > > A persistent joker attacked me with lion, ramen, and I trojan I still > haven't found. I fired-up the free ID-scripts from SANS; did a whole lot of > combing the filesystems; done away with cgi-bin; retained only root and my > account as /bin/bash; and uninstalling everything except gnome+enlightenment > and basic services - Just when I think that I've cleaned this menace out my > system, he's back to wreak more havok. > > Is it possible that he rolled-up a "trojan kernel" with daemons that nmap, > lsof and grep cannot detect to be listening? Now, postfix gets 'Name service > errors' for any domain except mine; has my eth0 automatically going > promiscuous for sniffing; and even managed to lock /etc/passwd. > > We're reinstalling the system but it's important for me to know how exactly > this guys does what he does. Comments, anyone?
I would hope you are using something like tripwire or aide, and keeping it current. Anything that changed on the system would be pointed out. Set these up *before* opening your system up to the world, and use and IDS like snort to watch things from a network level. Also, syslog to a secure(r) host so logs can not be tampered with. Tim -- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< >> Tim Sailer (at home) >< Coastal Internet, Inc. << >> Network and Systems Operations >< PO Box 671 << >> http://www.buoy.com >< Ridge, NY 11961 << >> [EMAIL PROTECTED]/[EMAIL PROTECTED] >< (631) 924-3728 << >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
