On Fri, 01 Jan 2010 02:44:37 +0100 Brent Clark <brentgclarkl...@gmail.com> wrote: >Machine is running Debian Lenny and its compromised. First thing I do is >run rkhunter, and it reports everything ok. > >I found the scripts in /dev/shm. > >Please see attached screenshot. Interesting the person came in on user nagios. > >I had to find the script by running command > >find . \( -name '*r00t*' -o -name 'ps' -o -name 'ssh-scan' \)
I'm sorry to see you're disappointed with RKH. Unfortunately your email does not reveal much because screenshots usually are way too large in size (compared to the value of information they hold). What I'm missing is rkhunter version and configuration information, suspected process information (if any) like (*attached and compressed*) current process, network and open files listings. (Feel free to add the listings and a tarball with suspected files to a Sourceforge bug tracker ticket.) Without that information there is not much that could help us help you. Since the (ab)user dumps files as user nagios you could go find out what vulnerable parts of your setup are exposed to world. If you don't know where to start have a look at http://web.archive.org/web/20080109214340/http://www.cert.org/tech_t ips/intruder_detection_checklist.html. Best regards, unSpawn --- ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
