Hello to the list: I've been afected by a "new" rootkit in Debian Lenny server, but rkhunter don't detect it. I started to search the infection when, trying to do a scp I saw this message:
command-line: line 0: Bad configuration option: PermitLocalCommand After this, I tested the md5sum of ssh and sshd with the pacakged ones and saw diferences: md5sum /usr/bin/ssh: f5c428c1f088adc41d3c6e64e4cbf57f /usr/bin/ssh cat /var/lib/dpkg/info/openssh-client.md5sums: 57fa3926bd334ef8b107c4d7519fb207 usr/bin/ssh md5sum /usr/sbin/sshd e0ad3e840272112ab3ad4f31d0a1750a /usr/sbin/sshd cat /var/lib/dpkg/info/openssh-server.md5sums: a9061c790ada52e51dc94838f495609b usr/sbin/sshd Doing a strings to a afected binary, I found this: mailI -s "Salut sefu, am noutH@ ati"fd1bloo_sht...@yahhoo.cf WTF! I'm afected by a rootkit! Looking in the logs, I've found some mails to this email: d1bloo_st...@yahoo.com, this is the e-mail used by the cracker to collect info... I think a good add-on for rkhunter is inspect the MD5 of the packages, Agood test maybe run debsums on debian systems.... If somebody want this, I will send the compromised binaries Sorry for my bad english. Greetings, Carlos Oliva ------------------------------------------------------------------------------ Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
