> > ...and a rootkit was installed. > >A very interesting story. I'm interested how a regular user was able to >install a rootkit. I realize that you may not know.
Didn't have the time to analyse that but I presume through privilege escalation. Cause this user had direct access to the running service. Another possibility would be through kernel modules. > > When I logged in and tried to ls I saw that ls gave me a segmentation > > fault error. After some more minutes I saw that there are some files > > that I didn't install. > >Can you say what the file names/locations were? Can't remember anymore. I have it saved somewhere. But one of the tools I never install is netstat. The changed apps where ls, ps, dir. When I analyse it I will get back to you. >May I suggest tripwire. It does require a bit of work when files are >updated, but will catch this sort of thing. > Am using it but for this server there was no time to install it. Wanted to do it later but never had the time. Unfortunatly tripwire can't help with a kernel module hack. For me the only real safeguard is chroot, iptables and no kernel modules. For most servers they aren't needed anyway. L... -- http://linuxfromscratch.org/mailman/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/lfs/faq.html Unsubscribe: See the above information page
