tim hibbard wrote:
>
> Sorry about the hacker misconception. The media does have it pretty well
> embedded. Thanxs for the info.
>
> Any way the crackerput the linux root kit on my server, and it has trojan
> horses. Can anyone instruct me on how to rid my system of this.
It really depends on what root kit was used. I had a server cracked using the
rkunshadow
root kit. Take a look thru the scripts that make up the root kit. In my case, I had
to
reinstall the following RPM files:
Here's a list of updates we made (assuming you're running Redhat):
netkit-base-0.10-13.i386.rpm
nfs-server-2.2beta29-7.i386.rpm
nfs-server-clients-2.2beta29-7.i386.rpm
passwd-0.50-11.i386.rpm
rsh-0.10-4.i386.rpm
sh-utils-1.16-14.i386.rpm
util-linux-2.8-11.i386.rpm
Note that some RPMS have been updated since then. Just grab the latest from the errata
page.
Check to see if you have a "libs" program running. "libs" is a packet sniffer the
rkunshadow root kit installs, it writes all its output to
/usr/lib/libpanel_libs.so.1.2 -
any users/passwords in there should be considered compromised. Actually, we considered
all compromised, since they had root access...
Since the attack, we have tightened security using the /etc/hosts.allow and
/etc/hosts.deny files.
--
Chuck Gadd
Director of Software Development, Cyber FX Communications
e-mail:[EMAIL PROTECTED] http://www.cfxc.com
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
