Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: exploit or human

from [Eduardo Kienetz] Network Security [Permanent Link]
Subject: Re: exploit or human
Date: Thu, 31 Mar 2005 17:59:33 -0300 
On Thu, 31 Mar 2005 18:14:49 +0200, Victor Calzado <vcalzado@gmail.com> wrote:

Hi,

Valentin Avram wrote:


Hello.

Most of the symptoms you describe and the "sudden" falling of more
systems does point to a rootkit that was installed on the first
compromised machine (FC2). That machine might have been later used to
gain access to the other servers in your network.

...

Also the failure to restart the server
usually is a consequence of that. One way to make that sure is to get
the hdd from the possibly compromised machine, put it on an offline
system which has rkhunter (or other rootkit-detection software)
installed and check it. After the signs you described, it quite very
probably you'll find a rootkit.

RH's before RHEL are ok (from the stability point of view) as long as
you keep the exposed services uptodate (recompilation from source).
Don't use the old software they come with, cause you might just open a
door to your system.

...
I'm sorry but probably you will find more infected systems all over your
network. You will probably need to reinstall every compromised server
and any content recovered from an "infected" system should be scanned
for viri and checked for rootkits.


Run chkrootkit: http://www.chkrootkit.org

Regards,

-- 
Eduardo  Bacchi Kienetz
http://www.noticiaslinux.com.br/eduardo/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: exploit or human, Victor Calzado
Next by Date:  Re: exploit or human, Juri Haberland
Previous by Thread:  Re: exploit or human, Victor Calzado
Next by Thread:  Re: exploit or human, Juri Haberland
Indexes:  [Date] [Thread] [Top] [All Lists]