|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Stefano Zanero (s.zanero
securenetwork.it)
Date: Tue Jul 17 2007 - 11:19:26 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> I have discovered that my server has been compromised.
Welcome to the happy club comprising... everybody who's ever managed a
server :D
> I believe it's
> some sort of rootkit.
You should also hunt for the way IN, otherwise you will never shut out
the attacker. The rootkit is a way to REMAIN in, not a way to get entry.
> It has managed to circumvent both rkhunter and
> tripwire.
Cool. How are you running tripwire, exactly ? Is the list of hashes on
the same box that was compromised ? If so, I believe I can see why your
tripwire didn't work :D
Also, if the rootkit is loaded in kernel space, tripwire will be silent.
> anyone know how I might detect/remove such rootkit? I hate to have to
> reload OS/tripwire/rkhunter/reload permissions... start over.
Sorry, you have to. There's no other safe way to get that box clean.
Stefano
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]