xfs
[Top] [All Lists]

Re: XFS tree for Red Hat should be moved to at least kernel-2.4.20-20

To: Ethan Benson <erbenson@xxxxxxxxxx>
Subject: Re: XFS tree for Red Hat should be moved to at least kernel-2.4.20-20
From: Mike Burger <mburger@xxxxxxxxxxxxxxxxx>
Date: Sun, 14 Sep 2003 21:41:47 -0500 (EST)
Cc: linux-xfs@xxxxxxxxxxx
In-reply-to: <20030914214745.GD827@xxxxxxxxxxxxxxx>
Sender: linux-xfs-bounce@xxxxxxxxxxx
Actually, it didn't cost me anything, but that's irrelevant.  The reason I 
found the "infected" files in my /tmp directory, in the first place, was 
that AntiVir spotted them, and chkrootkit hasn't spotted them anywhere 
else.

You are right, though...I probably do need to reinstall...but I'd still 
like to know exactly how they got in.

On Sun, 14 Sep 2003, Ethan Benson wrote:

> On Sun, Sep 14, 2003 at 10:47:50AM -0500, Mike Burger wrote:
> > I'll check out Axel's RPMs.  If they're created against Red Hat's sources, 
> > I'll probably be happy.
> > 
> > Luckily for me, I have H+BEDV's AntiVir scanning my system, each night, 
> > and it detects this type of thing, so I don't think the thing actually got 
> > installed to where it can do any damage...but I want to be as safe as 
> > possible.
> 
> oh please.  if there are peices of rootkit on your box then whether
> they installed it or not is IRRELEVANT, your box was compromised,
> period.
> 
> you cannot know what they did or did not do, your only responsible
> recourse is a complete mkfs of all filesystems (i would dd the entire
> disk with zeros) and a reinstall, then to audit your latest backup of
> user data (do NOT restore ANY binaries).
> 
> they could have installed a kernel module which will alter the
> behavior of arbitrary tools WITHOUT replacing any binary on your
> system, which means tripwire and the most expensive `antivirus'
> software will NOT be able to help you.  don't think that such a module
> will show up in lsmod output either, or that its file is visible to
> you on the filesystem.
> 
> your box has been compromised, you need to rebuild it.
> 
> 

-- 
Mike Burger
http://www.bubbanfriends.org

Visit the Dog Pound II BBS
telnet://dogpound2.citadel.org or http://dogpound2.citadel.org:2000

To be notified of updates to the web site, send a message to:

site-update-request@xxxxxxxxxxxxxxxxx

with a message of: 

subscribe


<Prev in Thread] Current Thread [Next in Thread>