On Fri, 03 May 2013 00:23:13 +0200 "A K Varnell" <alvarn...@mac.com> wrote: >Just curious whether any of the existing Apache checks will catch this one for Linux users?
Let's start by emphasizing RKH is a passive, post-incident analysis tool. That means it will only catch "signatures" it knows about, only after it happened and only when you run it. Security (as in hardening, auditing and adjusting) is a continuous process. It should comprise of multiple layers and preferably involve more than one active / passive tool or method. Running RKH does not equal "security": it's just a small part of things. In this case the perp first requires access to be able to drop the file, then elevate rights to be able to replace a root-owned binary and then start the process. While most of CDork is done in shared memory replacing the binary still means package management (if capable enough and not subverted), a file system integrity checker, RKH's properties check or else 'grep -aq open_tty /path/to/httpd && echo changed' should be able to verify it and alert you about changes. Additionally audit service watches or Samhain (because it uses Inotify) and regular log parsing (Logwatch or equivalent) could be added to the mix. Wrt detection also see the http://www.welivesecurity.com/wp- content/uploads/2013/04/dump_cdorked_config.c tool. HTH, unSpawn --- ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite It's a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2 _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
