[Dshield] Laba Rootkit

Mark Tombaugh mtombaugh at alliedcc.com
Tue Feb 3 17:56:14 GMT 2004


On Tuesday 03 February 2004 10:47 am, Kevin Old wrote:
> Hello everyone,
>
> I had a system hacked last night running a custom version of RH 7.2.
> Seems the user came in via another user over SSH (not sure how). 

What sshd is/was it running? 
Since the local system could be compromised you want to start logging all 
traffic to and from the host in question, but do this from a different 
system, use ethereal, iptables, snort, etc. Chkrootkit's detection algorithm 
is signature based (much like a virus scanner), so its effectiveness if 
questionable. Using data integrity checks (check out AIDE: 
<http://www.cs.tut.fi/~rammer/aide.html> ) at build can help you in 
situations like this, but you probably don't want to hear that now :/ 

-- 
Mark Tombaugh <mtombaugh at alliedcc.com>
Allied Computer Corporation <http://www.alliedcc.com>
USiHOST, iNC <http://www.usihost.com>





More information about the list mailing list