Re: possibly compromised redhat 7.2 box UPDATE - harden

[Alvin Oga <alvin.sec () Virtual Linux-Consulting com>]

hi ya melissa

> Checked it out and found the suckit rootkit on that box as well as 4 others.
> I'm in the process of reloading them. I don't have any extra drives or
> anything to save info for forensic purposes. I've done some googling for the
> info but most of what I've found is porn and people with the rootkit. Anyone
> know any tech info on it? Or a good place to find detailed instructions on
> locking down RH 7.2? (Boss won't let me upgrade or switch to another OS,
> hands are tied).

if the boss wont let you upgrade ...

a) point out that even redhat does NOT support rh-7.2 anymroe
no official support for even rh-9 
        ie... you are on your own to apply patches from the 10,000
        different packages that release patches as it occurs

b) you should follow all the basic steps to harden the servers ...
        - should be about 2-3 days of effforts to compile the new
        upgrades and install it
        ( you will probably NOT find the *.rpm for your rh-7.2

        - if you didn't spent that amt of time to apply about 200-300
        patches ...  than some vulnerabilities is probably
        still exploitable
        ( 200-300 is the number of *.rpm packages for d/l and installing
        ( to patch the servers .. in this acse, you'd be getting the
        ( original source code instead to compile it locally

c) consider this break-in as a testing grounds that indicates that
   things NEED to be fixed and changed  and that you're NOT liable
   if your hands are tied for whatever reason 
        ( crazy reasons or budgets or time or ?? )

server hardening ...
        http://www.Linux-sec.net/

        - note the top-7 or top-20 security problems

have fun
alvin

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------