If you were rooted by a rootkit with an LKM (Loadable Kernel Module),
there's a good bet you will never know that you've been rooted.
Typically, such root kits will remove all trace of their having been
inserted onto a system by intercepting all system calls and lying about
whatever they wish. Anything from file attributes (permissions, sizes,
timestamps, even contents) to hidden network connections that can be
completely invisible to all user-mode tools on your box.
Simply put, once you've been "0wn3d" (owned == rooted), your best bet is
to re-install a fresh image and begin anew.
- Ian C. Blenke <icblenke@nks.net>
On Sat, 2002-08-24 at 05:39, Darr Palmer wrote:
> On Saturday 24 August 2002 12:50 pm, you wrote:
> > Hello Darr
> >
> > On 24-Aug-02, you wrote:
> > > Hello again,
> > >
> > > I posted a thread last week regarding the apparent take over of my server
> > > by some external source.
> > >
> > > Thanks to all for the information on ckrootkit and the like. I ran the
> > > tools and it reported many missing files, but no direct hits for being
> > > rooted, however I am still unable to explain the events that occurred
> > > last weekend to my server.
> > >
> > > It has been suggested by some that perhaps my local email was being
> > > scanned by whatever or whoever it was and they left covering as much as
> > > their trail as possible after I sent my request for help. The fact that
> > > so many of the services just disappeared and numbers of files that just
> > > vanished may lend credibility to that theory.
> > >
> > > I have managed to restore most of my services, however I am unable to
> > > regain full usage of mail, ftp or samba.
> >
> > <SNIP>
> >
> > Manged to restore ?
> >
> > You tried to repair it ?
> >
> > As was the suggestion, you should have put in a new hard drive and restored
> > a previously good backup to it or just started from a fresh OS install if
> > you have no backups.
> >
> > Toolkit's look for signatures, much like a virus checker does. It may not
> > find everything which is why you start over. Most people like to keep the
> > 'contaminated' drive.
> >
> > You are skating on thin ice.
> >
> > Be afraid, be very afraid.
> >
> > Obviously, a restore from a regular backup prior to the event, should have
> > fixed everything.
> >
> > If it hasn't, you can only assume that the 'intruders' took control
> > (rooted you) and jumped to every machine on you lan. ie. they are ALL
> > contaminated.
> >
> > You will have to be more specific/clear about what you have done.
> >
> >
> > Regards...Martin
>
> I have been trying to repair. I have changed my root passwords and ran
> antivirus on all the M$ boxes. I looked to make sure only the appropriate
> permissions belong to the appropriate users.
>
> I have been uneasy all week trying to patch it. My last two backups are both
> suspect as they both occured since the time that I now suspect the issue was
> going on.
>
> Thanks
>
> Darr
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 17:03:20 EDT