So a server I maintain got broken into a few days ago, and I ran rkhunter as part of my attempt to figure out what the attackers actually did. It didn't find anything. The next day, I discover that sshd was clearly modified with a backdoor. The problem I have is that I realized I was running rkhunter 1.3.0 (which was the current version in the Ubuntu repository), not the newest 1.3.4. I've installed 1.3.4 in a directory, but is there any way to run it on the compromised file without actually having to copy the compromised sshd back to /usr/sbin/sshd?
If someone tells me how to run it on that file, and rkhunter does NOT detect it, is there a process to submit the file so that it can be detected in the future? Thanks, Jeff ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
