IDS mailing list archives
RE: tripwire failed???
From: Zhihao <zhihao () root sg>
Date: Mon, 06 Aug 2007 14:53:53 +0800
It is probably a good idea to move on to Osiris, http://osiris.shmoo.com It uses a client server architecture for the deployment of scanning agents and the storage of the hashes. Another useful feature it has is the ability to detect newly loaded kernel modules which I believe would had been a little more helpful in your case. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Stefano Zanero Sent: Wednesday, 18 July, 2007 12:19 AM To: anthony () synt3gra com Cc: focus-ids () securityfocus com Subject: Re: tripwire failed???
I have discovered that my server has been compromised.
Welcome to the happy club comprising... everybody who's ever managed a server :D
I believe it's some sort of rootkit.
You should also hunt for the way IN, otherwise you will never shut out the attacker. The rootkit is a way to REMAIN in, not a way to get entry.
It has managed to circumvent both rkhunter and tripwire.
Cool. How are you running tripwire, exactly ? Is the list of hashes on the same box that was compromised ? If so, I believe I can see why your tripwire didn't work :D Also, if the rootkit is loaded in kernel space, tripwire will be silent.
anyone know how I might detect/remove such rootkit? I hate to have to reload OS/tripwire/rkhunter/reload permissions... start over.
Sorry, you have to. There's no other safe way to get that box clean. Stefano ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in tro_sfw to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- RE: tripwire failed??? Zhihao (Aug 07)