Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Bind8 exploit and a deleted partition map

From: Justin Shore <macdaddy () NEO PITTSTATE EDU>
Date: Wed, 14 Feb 2001 15:30:01 -0600
On 2/14/01 12:43 AM Jeremy L. Gaddis said...


Install Tripwire to protect your files like your inetd.conf or
ssh_random_seed...


FWIW, I've found the running "chattr +i" on important files
goes a long way when it comes to your average script
kiddie.  An experienced cracker would probably figure it
out pretty quick, but, IMO, a script kiddie would probably
give up pretty quick and go on to an easier target.


I just helped a friend who has one of his RH 6.2 boxes rootkitted.  One
of the thigns replaced was login.  His quick fix was to upgrade to 7.0.
That replaced dman near everything.  The one thing it wouldn't replace
was login.  It was immutable and he didn't know how to remove that (or
identify it).  I must admit that that's the first rootkit I've ever seen
do that.

Justin


--
Justin Shore                    Pittsburg State University
Network & Systems Manager       Kelce 157Q
Office of Information Systems   Pittsburg, KS 66762
Voice: (620) 235-4606           Fax: (620) 235-4545
http://www.pittstate.edu/ois/

Warning:  This message has been quadruple Rot13'ed for your protection.
Previous By Date Next
Previous By Thread Next

Current thread: