Security Incidents mailing list archives
Re: Ramen
From: Brian Taylor <drak3 () ATL MEDIAONE NET>
Date: Mon, 22 Jan 2001 13:11:17 -0800
Matt, generally (well, actually 99.999% of the time), the rule is to totally reformat whenever there has been a root level compromise. Go to your old backups, restore from there. Have a stiff drink, for that box is history. But for future reference, check the file attributes. No, I'm not referring to the regular rwx using chmod. I'm referring to the attributes you can set using chattr. More than likely the intruders have modified those files by changing the security attributes using -a and/or -i flags (Append only and Immutable). Ext2 is really a great filesystem for allowing you to set those types of attributes, unless, of course they're set against you! :-) These can be used for some light file protection as well (as it seems to be used against you currently). An excellent paper on Ext2 attributes can be found on securityfocus.com ( http://www.securityfocus.com/announcements/230 ) or else just 'man chattr'. You can use 'lattr' to list the file attributes. But I wouldn't spend any more time on that box. It's rooted. Restore from backups. Take a look at Bastille and Tripwire for the future! Good luck and best regards, Brian Taylor Level 2 Security Analyist SecureWorks/IMSC www.secureworks.net I was wondering if you can help me (...please :)). One of our RedHat 6.2 servers was hit this morning with Ramen. I've cleaned it out using the documented procedure but there's still a lingering problem which seems related. The hosts.allow and hosts.deny files on the server have been completely locked and cannot be changed, removed, chmoded even with superuser access. This doesn't seem documented anywhere but I can't think of any other cause (this problem did not occur before the infection). Any help or advice you can give would be (very) greatly appreciated. Thanks. Matt