[Dshield] Laba Rootkit
mtombaugh at alliedcc.com
Tue Feb 3 17:56:14 GMT 2004
On Tuesday 03 February 2004 10:47 am, Kevin Old wrote:
> Hello everyone,
> I had a system hacked last night running a custom version of RH 7.2.
> Seems the user came in via another user over SSH (not sure how).
What sshd is/was it running?
Since the local system could be compromised you want to start logging all
traffic to and from the host in question, but do this from a different
system, use ethereal, iptables, snort, etc. Chkrootkit's detection algorithm
is signature based (much like a virus scanner), so its effectiveness if
questionable. Using data integrity checks (check out AIDE:
<http://www.cs.tut.fi/~rammer/aide.html> ) at build can help you in
situations like this, but you probably don't want to hear that now :/
Mark Tombaugh <mtombaugh at alliedcc.com>
Allied Computer Corporation <http://www.alliedcc.com>
USiHOST, iNC <http://www.usihost.com>
More information about the list