KCLUG February 2005

kclug@kclug.org

47 participants
115 discussions

Trojan Found
by Jonathan Hutchins 01 Mar '05

01 Mar '05

I found a trojan running on my server today - rootedoor (http://vil.mcafeesecurity.com/vil/content/v_128116.htm). Couldn't find much information about it on the web. If you know anything specific about it (not general speculation on rootkits, trojans, etc.), I would appreciate you sharing it with the list. I detected it running as one of the last two processes listed by 'ps ax' just before a reboot to install a new kernel; the reboot seems to have elimiated all traces of it from the system. I found a number of missing or corrupt perl modules on the system, but that may not be related, it's an old system and I've had some perl issues before. This _is_ the system that suddenly lost all it's files Sunday night, so it could have been hacked before.

4 13

Re: Trojan Found
by Brian Kelsay 28 Feb '05

28 Feb '05

Do these 2 tools work with the standard .debs I grab when I update my PC? Still figuring some intricacies of Debian out. Brian Kelsay >>> Chris Bier <chris.bier(a)cymor.com> 02/28/05 01:22PM >>> | | On this note, other than CRC checking and MD5 checksum options, | | is there any kind of an equivalent with Debian for this type of | | check? I'm guessing no | <snip /> | | debsig-verify | | http://www.linuxmafia.com/faq/Debian/package-signing.html | also dpkg-sig

1 0

RE: Trojan Found
by Brian Densmore 28 Feb '05

28 Feb '05

> -----Original Message----- > From: Jonathan Hutchins > > ... I did a CRC check against ALL of the system files. They're > fine. I checked > RPM before I used it to check the rest of the system. > > RPM's a great tool for a lot of things, including verifying > system integrity. ... > > It's VERY hard to hack an RPM system in such a way as to > conceal tampering > with files within the packages. Not impossible, but hard in > a way that the > low-level simplicity of rootedoor tends to contraindicate. > On this note, other than CRC checking and MD5 checksum options, is there any kind of an equivalent with Debian for this type of check? I'm guessing no. Although, it might be possible to build an rpm database of installed software on a Debian box and then use that as an additional check. Of course there's nothing, stopping a cunning cracker from building an RPM database, setting the timestamp and copying it onto the cracked system. Something possible with Jonathon's box too. Jonathon, was your check done with a local copy of the RPM database, or an archived known good copy? Certainly, if I were a cracker, installing a new copy of the RPM database would be part of my initial and every subsequent loading of software onto a cracked system. After all, to be successful at cracking it best to remain undetected. Brian

3 3

RE: Trojan Found
by Charles, Joshua Micah (UMKC-Student) 28 Feb '05

28 Feb '05

>Tucson, in fact. The manager at the ISP down there mounted the drive in a "spare" server running RH9 on VMWare, and gave me ssh access to it. I >reformatted the partitions and used rsync to reinstall. It took many hours, >even though it was only about 2.5G of data. I could have filtered it a >little better and used compression to speed it up some, but with the low >upstream bandwidth from RR it was just slow. I'm a niave person that has absolutely no knowledge of how to administer a server. That said, what is the possibiliy that the machine you rsync'd from has been compromised?

2 1

Re: CPAN
by Brian Kelsay 28 Feb '05

28 Feb '05

Yeah, you can update RH or Fedora with apt-get or YUM once you set up the program and point to the repositories. Apt4RPM is a bit easier than using RH update manager. I was always getting timeouts from the official RH mirrors during the day. Late at night would sometimes work. Brian Kelsay >>> Jonathan <djgoku(a)gmail.com> 02/28/05 10:12AM >>> Brian Kelsay wrote: >Wouldn't this be a good time to upgrade then? > >Brian Kelsay > I would sure hope so, maybe to a FC3? Then keeping up to do wouldn't be so hard if you were using the debian package management. Doesn't FC3 us something like that to update? I have never actually used FC yet. Thanks, Jonathan

3 2

RE: Trojan Found
by Brian Densmore 28 Feb '05

28 Feb '05

At the risk of sounding foolish, I'll jump in with my opinion. I' m no security expert either, but have learned something about security. I think your terminology for "rooted" is shall we say "creative". The fact the all of your files were wiped from the disk, and you seem to have ruled out hardware failure, the logical conclusion is that some process/user with root-level authority deleted all the files. The fact you discovered rootedoor after reinstalling doesn't preclude the possibility that it *was not* there before. I don't know the specifics of your machine and you certainly seem to know what you are doing, and I'm not suggesting you wipe your machine. I don't know if/why any of your clients have root level access, so if they do then it is certainly possible that one of them did it by accident, as you seem to think. I find it unlikely that some arbitrary process did this, and if it did then you need to seriously look at the uids that these processes run as. There is no reason for most programs and I see no reason for any web program to run with root privileges. I am curious though how the re-install was accomplished, seeing as how you live here in the KC Metro and the machine is 1000+ miles away in AZ, IIRC. I'd also like to say, that it appears by your numerous replies on this these threads that you take pretty good care of security, which makes finding out what might have happened more important. Since a successful hack might indicate a zero-day exploit, while it could also be highly likely that a local user's account has been compromised. Brian

2 1

Re: CPAN
by Brian Kelsay 28 Feb '05

28 Feb '05

Wouldn't this be a good time to upgrade then? Brian Kelsay >>> Jonathan Hutchins <> 02/25/05 05:22PM >>> On Friday 25 February 2005 05:10 pm, D. Hageman wrote: Unfortunately, with what is now a rather ancient distribution (RH7.3), it's getting harder to keep it current with RPMs.

2 1

RE: VOIP experiences
by Brian Kelsay 28 Feb '05

28 Feb '05

Found this Slashdot article on VOIP and QoS this morning. There was some stuff I didn't know and some of the usually ranting and chaff. Take what you need. http://ask.slashdot.org/article.pl?sid=05/02/24/0024257 Brian Kelsay

1 0

Re: command line advice
by Jonathan 28 Feb '05

28 Feb '05

> I also use gaim and have the sounds turned on within its preferences. > In the Suse control center, there is a sound and mutimedia option, > that has a sound notification option. Under event source are listed > all the applications that are configured for sound. Gaim is not among > them, and there doesn't seem to be any option to add it, which is why > I thought it might be possible to do so using the command line. I am not sure there is any command line options like that for gaim. I don't know why you want the sound stuff in Suse Control Center unless you want to control all at one place, but I think I would be too much and not worth it to do that. What is the sound notification option for anyways? Thanks, Jonathan

1 0

command line acvice
by jgtgru 27 Feb '05

27 Feb '05

I recently installed Suse 9.2 and would like to become familiar with Linux and command line. My idea is to take on projects so that I can learn this in a hands on way, I am also open to suggestions. One simple project that I would like to start with is to get the sound enabled for my instant messenger. At present I have sound on most desktop applications, but certain applications are not included in the Control Center listing. My thought is to add the instant messenger to that list using the command line. Please advise. It's not the life that matters, but the courage we bring to it. jgtgru

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

KCLUG February 2005