unsp...@hushmail.com writes > On Sun, 04 Oct 2009 15:28:55 +0200 Thomas Krichel > <kric...@openlib.org> wrote: > >I have a rootkit installed on a bunch of machines that rkhunter > > does not find. > > Maybe a stupid question, but did you install it yourself or did you > find "evidence" of somebody having installed it?
A user came in with a stolen password, got root access through the kit and did not delete her history, so I could reproduce the actions taken by her. > >This appears after infection with SHV4 / SHV5, which rkhunter > found. > > Could you please attach details (rkhunter.log)? I have deleted that a long time. But here is what I have been adviced about this tool after discussion on the debian security list. This is not a root kit, it is a binary that exploits a hole in certain kernel version. Unfortunately it is wide-spread, I found the problem on two other machines that I am using http://lists.debian.org/debian-security/2009/10/threads.html Kernel updates and reboots fix, but you have to have a recent kernel. I had access to two more machines where I am not root, and the kit got me in as root both times. I wrote to the maintainers immediately. > Who/where did you get these instructions from? Just curious. see above > If another user installed binaries and or a LKM in directories > writable by only root then you have a most serious compromise on > your hands. It is imperative you follow proper Incident Response > procedure and not try to "restore" the machine. That would be > similar to treating *only symptoms* and not the *cause*! I know, but I am not sure how to clean the machine without a completely loosing all the data. Because I can't be sure that the machine is clean, I was suspicious that it was some remminent of a back door. But this is much worse it's a general tool that appear to work with most kernels that folks use out there. Thanks and cheers, Thomas Krichel http://openlib.org/home/krichel RePEc:per:1965-06-05:thomas_krichel skype: thomaskrichel ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
