IDS mailing list archives

Previous By Date Next
Previous By Thread Next

RE: tripwire failed???

From: Zhihao <zhihao () root sg>
Date: Mon, 06 Aug 2007 14:53:53 +0800
It is probably a good idea to move on to Osiris, http://osiris.shmoo.com

It uses a client server architecture for the deployment of scanning agents
and the storage of the hashes. Another useful feature it has is the ability
to detect newly loaded kernel modules which I believe would had been a
little more helpful in your case.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Stefano Zanero
Sent: Wednesday, 18 July, 2007 12:19 AM
To: anthony () synt3gra com
Cc: focus-ids () securityfocus com
Subject: Re: tripwire failed???


I have discovered that my server has been compromised.  


Welcome to the happy club comprising... everybody who's ever managed a
server :D


I believe it's
some sort of rootkit.


You should also hunt for the way IN, otherwise you will never shut out
the attacker. The rootkit is a way to REMAIN in, not a way to get entry.


 It has managed to circumvent both rkhunter and
tripwire.


Cool. How are you running tripwire, exactly ? Is the list of hashes on
the same box that was compromised ? If so, I believe I can see why your
tripwire didn't work :D

Also, if the rootkit is loaded in kernel space, tripwire will be silent.


anyone know how I might detect/remove such  rootkit?  I hate to have to
reload OS/tripwire/rkhunter/reload permissions... start over.


Sorry, you have to. There's no other safe way to get that box clean.

Stefano

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in
tro_sfw 
to learn more.
------------------------------------------------------------------------



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: