Hello, On Sun, 09 Sep 2007 11:01:48 +0200 f00 <[EMAIL PROTECTED]> wrote: >i got infected by t0rn rootkit on my ubuntu 7.04 server >(recognized >today). I had all recent patches installed, so i think there is >another exploit.
Sorry to hear that. The fact is that installing updates is not the only avenue for crackers: weak service and system authorisation, allowing people on the system (shell server), service misconfiguration, non-SSL'ed FTP, lax access restrictions are just a few things one needs to check and correct before you can call a server somewhat "hardened". >I will bring you my logs (which logs would you like to >see?)on >monday, i powered down the server for now. Please DO NOT attach logs unless asked for. I'm afraid this list is not for helping you find the root cause of the compromise. We do occasionally ask for logs if we think it can enhance Rootkit Hunter detection methods. If you want help with your compromise I suggest you make a tarball out of the system 'last' records, system and daemon logs and upload it to your homepage or a free webhost and become a member or a Linux forum. There's a lot of them that are willing to help, I've been helping people at http://www.linuxquestions.org/questions/forumdisplay.php?f=4 for the past years. To make sure you post all relevant info please also read and act on the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intruder_detection_checklist.html. Regards, unSpawn -- Click and get free information on a satisfying career as a massage therapist. http://tagline.hushmail.com/fc/Ioyw6h4eIKsskVwZ0KPEbejPw4gr8qAu2vHWs9EniKB6ysM4lwoxSQ/ ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
