rootkit?

[John Summerfied]

Craig White wrote:

>>>Sounds like a guessed password then.  Regardless, the best thing to do
>>>is to rebuild from scratch and then set strong passwords on all
>>>accounts.  That is the only way to be sure the system is really back
>>>under your control.

setting users' shells to /bin/false can help too. Ask can use of 
tcpwrappers, both to control where acceptable connexions come from (if 
you're not from _my_ area you can't get connected long enough to discuss 
authentication) and to alert to attempts:

www:~# tail /etc/hosts.{allow,deny}
==> /etc/hosts.allow <==
#
# Example:    ALL: LOCAL @some_netgroup
#             ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
#
# If you're going to protect the portmapper use the name "portmap" for the
# daemon name. Remember that you can only use the keyword "ALL" and IP
# addresses (NOT host or domain names) for the portmapper. See portmap(8)
# and /usr/doc/portmap/portmapper.txt.gz for further information.
#
sshd: 192.168. 203.34.  220.235.  203.59. 203.55. 203.33.  202.72.

==> /etc/hosts.deny <==
# The PARANOID wildcard matches any host whose name does not match its
# address. You may wish to enable this to ensure any programs that don't
# validate looked up hostnames still leave understandable logs. In past
# versions of Debian this has been the default.
# ALL: PARANOID
sshd: ALL

false: ALL: spawn ((echo attack from  %h;id -a) | \
                /usr/bin/mail -s %d-%h root) &

www:~# cat /etc/xinetd.d/telnet
# default: off
# description: An internal xinetd service which gets the current system time
# then prints it out in a format like this: "Wed Nov 13 22:30:27 EST 2002".
# This is the tcp version.
service telnet
{
         disable         = no
         socket_type     = stream
         protocol        = tcp
         user            = games
         wait            = no
         flags           = NAMEINARGS
         server          = /usr/sbin/tcpd
         server_args     = /bin/false
}

www:~#

Read docs and/or try it out if you don't understand it.

>>>
>>
>>Isn't rebuilding a little extreme?  If the cracker got into an
>>unpriviledged user's account and no further isn't that particular user
>>account the only thing at risk?  Shouldn't changing all passwords to
>>strong ones and deleting the infected user account and files be
>>sufficient?
> 
> ----
> You would have to know EXACTLY what was compromised and that would be
> difficult to determine and clearly it would take a lot less time than
> simply backing up the data, wiping out the installation and reinstalling
> fresh. Once a box is owned by someone else, you can't trust anything
> including reports from things like rpm -Va. The only thing you might be
> able to trust is a check from tripwire which had the checksums stored on
> a read-only filesystem like a CD.

rpm -Va with a known good rpm (eg rescue cd) would do me.


-- 

Cheers
John

-- spambait
1aaaaaaa at computerdatasafe.com.au  Z1aaaaaaa at computerdatasafe.com.au
Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/

do not reply off-list