Hello Bastian, On Sun, 03 Nov 2013 13:23:19 +0100 "Bastian Bringenberg" <bastian.bringenb...@typo3.org> wrote: >we noticed right now an attempt to use our server for nasty things.
First of all I hope you took appropriate steps to isolate the server, inform users and check the server thoroughly. >This small script tried to connect to a foreign IRC Server >to receive commands and was able to change is command in top and >htop to „/usr/sbin/asterisk“. We don’t use asterisk at all so >there is no binary file located at this location. It's not uncommon for scripts and applications to mimic a seemingly innocuous process name like "/usr/local/bin/httpd -DSSL". And Glibc, depending on your version, used to include a binary called 'doexec' that would do the same: arbitrarily change argv[0] to Something Completely Different. A quick and dirty way could be to compare the output '\ps -ocmd' sees with the value of 'readlink -f /proc/$PID/exe' and check the file on disk. This does however cause false positives like with kthread(d) children (not actual user land processes), processes using symlinks (also see /etc/alternatives/), ephemeral processes, mount point usage like with Fedora (/bin symlinked to /usr/bin) and processes that legitimately change their process name like Sendmail, Screen, etc, etc. >Here comes my question: >Is rkunter able to check whether the process file exists in the filesystem? Would it make sense to check this at all? It would be possible but please realize RKH is a simple, post- incident way of checking things. Finding such an application is only a -=[ symptom ]=- of a breach of security occurring earlier. This IMHO means the emphasis should be on admin and security best practices like preventive maintenance and proper system hardening. One tool already covering process watching is Samhain and also the audit service is able to log execves. HTH, unSpawn --- ------------------------------------------------------------------------------ Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
