Found, a new rootkit
John Summerfield
debian at herakles.homelinux.org
Sat Apr 1 00:29:44 UTC 2006
Gene Heskett wrote:
> We've cut our bandwidth use in half by getting rid of that. We also
> checked the logs and added several dozen more addresses
> to /etc/hosts.deny,
That is fairly useless. IP addresses of attackers change as quickly at
IP addressess of spammers, and they have so many it's like trying to
fence off the porn sites of the world.
More important is to discover how the rogue gained entry and to close
that loophole. How did the shell script get there? Whose account was
used? Does .bash_history include useful clues about what was done? Did
the attacker send email after gaining entry? If so, the recipent domain
(eg Yahoo) may be interested.
Root's account, eh? Disallow password-based authentication for root.
Ensure that only those who need it have shell accounts, and that those
have good passwords. _I_ have incoming ssh land on my personal desktop,
there there is only my password to worry about.
More information about the fedora-list
mailing list