On Mon, 05 Oct 2009 21:04:36 +0200 Thomas Krichel <kric...@openlib.org> wrote: >> Could you please attach details (rkhunter.log)? > > I have deleted that a long time. But here is what I have been > adviced about this tool after discussion on the debian security > list. This is not a root kit, it is a binary that exploits a hole in > certain kernel version. Unfortunately it is wide-spread, I found the > problem on two other machines that I am using > >http://lists.debian.org/debian-security/2009/10/threads.html
I see. Thanks for the quick follow-up. >> If another user installed binaries and or a LKM in directories >> writable by only root then you have a most serious compromise on >> your hands. It is imperative you follow proper Incident Response >> procedure and not try to "restore" the machine. That would be >> similar to treating *only symptoms* and not the *cause*! > > I know, but I am not sure how to clean the machine without > a completely loosing all the data. Allow me to correct your scope: "cleaning" the system is not an option (unless you have the skills, time and independent, autonomous ways to unambiguously verify the filesystem, data and backup integrity) and losing valuable data isn't your problem, or put differently: if the user gained access to the root account then basically all bets are off and *you don't know what she got already*. For instance shell history might not show she transferred passwords off the system. And if systems are connected and passwords shared beween accounts then not taking drastic measures now to contain the situation might even facilitate (easier) compromise of other systems. The system should be completely isolated from all traffic and users (except your management IP or range) until you have completed your investigation of the system and reformatted and reinstalled the OS from scratch. Providing complete Incident Reponse support is unfortunately outside the scope of this mailing list but if you head over to say http://www.linuxquestions.org/questions/linux- security-4/ or the Debian Security mailing list there'll definately be knowledgeable and helpful peoplearound willing to help you. Good luck! Regards, unSpawn --- ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
