[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

OT: any one know about ZK bootkit?

Just to wanted to appaise you of a neat tool a buddy of mine turned me
on to that might be a nice tool for this situation.

rkhunter

While I'm sure that this is not a absolute cure it could let you do a
quick scan of the other machine on the same network to see if they have
been compromised as well.

You can get it @ :

http://packetstorm.linuxsecurity.com/filedesc/rkhunter-1.00RC3.tar.html

and it compiles and runs in no time.

As Drew said, a clean sweep of new passwords will be a necessity and I
would personally setup a new gateway machine to sniff
(ethereal/tcpdump) and log all network
exchanges for a bit and use a small script w/ grep and htdig/nslookup to
verify "known" hosts and their validity and dump all the "unknowns" to a
in a different file w/ the port that was accessed/attempted.

Oh.......NMAP YOURSELF FROM THE OUTSIDE!!!!!!!

HTH....Getting rooted sucks!!!!

Tim



Please stand for the National Anthem:

	O Canada
	Our home and native land
	True patriot love
	In all thy sons' command
	With glowing hearts we see thee rise
	The true north strong and free
	From far and wide, O Canada
	We stand on guard for thee
	God keep our land glorious and free
	O Canada we stand on guard for thee
	O Canada we stand on guard for thee

Thank you.  You may resume your seat.

On Fri, 23 Jan 2004, Drew MacPherson wrote:

>
> Julie, a rootkit generally contains many methods for attempting to harvest
> system passwords - these range from ethernet sniffers to trojan password /
> login replacements.
>
> If you have a system that has a rootkit installed, then you need to take
> immediate steps to secure the system.  Immediately remove it from the net
> - as many rootkits also include backdoor access for the hacker that
> dropped it in - back up any pertinent data (do not backup binaries or
> shell scripts that may have been modified!) and reinstall the machine from
> scratch.  Before putting the machine back on the wire, install all
> applicable vendor pacthes otherwise the hacker will drop in using the same
> vulnerability before you can say "bob's your uncle."
>
> The issue does not stop there though - if there are any other systems that
> are accessed from the compromised system or are on the same network
> segment, then there is a very good chance that passwords may have been
> harvested, and/or those machines compromised as well.
>
> It is recommendsed that any passwords on these systems be changed and a
> thorough audit be conducted on these systems to determine if they have
> been compromised as well.
>
> Drew
>
> On Fri, 23 Jan 2004, Julie Macfarlane wrote:
>
> > Sorry about the OT, but I was hacked last night....
> > The Linux box crashed and I found this on my system. It failed and crashed
> > all the main systems in the box, but left all the logs  :)
> >
> > What is it supposed to do?
> >
> >
> >
> > Julie Macfarlane
> > 1981 MKI 2L 16v
> > Amsterdam NY
> >
> > _________________________________________________________________
> > Check out the coupons and bargains on MSN Offers!
> > http://shopping.msn.com/softcontent/softcontent.aspx?scmId=1418
> >
> >
> > _______________________________________________
> > Scirocco-l mailing list
> > Scirocco-l@scirocco.org
> > http://neubayern.net/mailman/listinfo/scirocco-l
> >
>
> --
> /=============================================\
> |  84 Wolfsburg Edition TurboDiesel Scirocco  |
> |    http://scirocco.cs.uoguelph.ca/gtd       |
> \=============================================/
>
>
> _______________________________________________
> Scirocco-l mailing list
> Scirocco-l@scirocco.org
> http://neubayern.net/mailman/listinfo/scirocco-l
>