IDS mailing list archives
tripwire failed???
From: anthony () synt3gra com
Date: Sun, 15 Jul 2007 15:11:11 -0400 (EDT)
I have discovered that my server has been compromised. I believe it's some sort of rootkit. It has managed to circumvent both rkhunter and tripwire. The only reason I detected it is because I happened to run a 'ps' command when server was slow and noticed a connection from an unwarranted user. I then 'netstat'ed. Apparently, the attacker(s) is utilizing a program that obfuscates their presence in the usual logging areas as well. I just "happened" to catch them. 'ps -aux' showed that an UNKNOWN user was utilizing sshd. I was able to parse output to a file for further viewing. I would post 'log-files' but they show now indication of compromise (s fr s I can tell) I know that there are a plethora of rootkits in cirulation, but does anyone know how I might detect/remove such rootkit? I hate to have to reload OS/tripwire/rkhunter/reload permissions... start over. Any other tools I should be utilizing? ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- tripwire failed??? anthony (Jul 17)
- Re: tripwire failed??? Stefano Zanero (Jul 17)