On 17 Dec 02 at 0:59, Rick Moen wrote: > Quoting Reynald I. Ngo ([EMAIL PROTECTED]): > > > Yes. Shut down and rebuild. There's unfortunately no alternative.
Safest really but a pain. But if you can find all the holes, you may not need to. > The Slapper "Cinik" variant is an automated buffer-overflow attack > against an August 2002 bug in OpenSSL running under Apache. (Not > intending to add to your woes, but systems that have kept current with > security patches will be unaffected -- as will sites that don't use > Apache for https, i.e., most sites.) Or disable SSL. > The evisceration of your system logs was intended to make it less likely > you'd notice the compromise of your system. Congratulations on that not > working, by the way. Most people don't notice for a very long time. syslogd may also be compromised. It logs only some access, not all and therefore you'd not be wiser until you notice that not all activities are logged. > For the same reason, the human attacker, after receiving the worm's > notification e-mail, used its backdoor to enter your system and used > root access to replace key administrative binaries (ps, netstat, top, > etc.) with "trojaned" versions that attempt to hide his system activity > from the sysadmin's attention. Typically, these binaries come in a I got to scan all the files and checked the filesize with another system and found the trojaned ones. Also, some of them are chattr...so you can rm them. > source archive called a "rootkit" (_not_ an attack tool; just a > camouflage one) that the attacker manually compiles on your system and > then installs, replacing your real admin utilities. > One long-term lesson is that any process that's addressable remotely > from anywhere in the world (a network daemon) should be a special object > of your attention -- _if_ you run that daemon. If you're not sure you > need a daemon, switch it off. Oh...it may also edit your rc scripts...so check them as well. > off the vulnerable daemon until you can: Temporarily having a service > unavailable may be inconvenient, but it's much less so than having to > rebuild from scratch and not even be able to trust your /etc/* files > or home-directory dotfiles -- which is what you're going to have to do, > now. Back up backup backup... _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] Fully Searchable Archives With Friendly Web Interface at http://marc.free.net.ph To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
