Hey unSpawn,
> First of all I hope you took appropriate steps to isolate the
> server, inform users and check the server thoroughly.
Of course =). Not the first attempt to work on our servers!
> It would be possible but please realize RKH is a simple, post-
> incident way of checking things. Finding such an application is
> only a -=[ symptom ]=- of a breach of security occurring earlier.
> This IMHO means the emphasis should be on admin and security best
> practices like preventive maintenance and proper system hardening.
> One tool already covering process watching is Samhain and also the
> audit service is able to log execves.
Thank you very much. I guess I will take a look on Samhain than. More false
positives are better than too less informations at all. In my opinion we need
something saying: „Take a look on this server!“ so if there is another service
I’ll take a look at it =).
Have a nice evening,
Bastian
Am 03.11.2013 um 16:20 schrieb unsp...@hushmail.com:
> Hello Bastian,
>
> On Sun, 03 Nov 2013 13:23:19 +0100 "Bastian Bringenberg"
> <bastian.bringenb...@typo3.org> wrote:
>> we noticed right now an attempt to use our server for nasty
> things.
>
> First of all I hope you took appropriate steps to isolate the
> server, inform users and check the server thoroughly.
>
>
>> This small script tried to connect to a foreign IRC Server
>> to receive commands and was able to change is command in top and
>> htop to „/usr/sbin/asterisk“. We don’t use asterisk at all so
>> there is no binary file located at this location.
>
> It's not uncommon for scripts and applications to mimic a seemingly
> innocuous process name like "/usr/local/bin/httpd -DSSL". And
> Glibc, depending on your version, used to include a binary called
> 'doexec' that would do the same: arbitrarily change argv[0] to
> Something Completely Different. A quick and dirty way could be to
> compare the output '\ps -ocmd' sees with the value of 'readlink -f
> /proc/$PID/exe' and check the file on disk. This does however cause
> false positives like with kthread(d) children (not actual user land
> processes), processes using symlinks (also see /etc/alternatives/),
> ephemeral processes, mount point usage like with Fedora (/bin
> symlinked to /usr/bin) and processes that legitimately change their
> process name like Sendmail, Screen, etc, etc.
>
>
>> Here comes my question:
>> Is rkunter able to check whether the process file exists in the
> filesystem? Would it make sense to check this at all?
>
> It would be possible but please realize RKH is a simple, post-
> incident way of checking things. Finding such an application is
> only a -=[ symptom ]=- of a breach of security occurring earlier.
> This IMHO means the emphasis should be on admin and security best
> practices like preventive maintenance and proper system hardening.
> One tool already covering process watching is Samhain and also the
> audit service is able to log execves.
>
>
> HTH,
> unSpawn
> ---
>
--
Bastian Bringenberg
TYPO3 Server Administration Team Member
TYPO3 .... inspiring people to share!
Get involved: http://typo3.org
------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
