On Thursday 14 September 2006 03:43, Markus Wetzel wrote: > last week my server got infected with the SuckIt rootkit (Debian with > 2.4 kernel). Fortunately I have discovered this rootkit (chkrootkit) and > reinstalled the system because I didn't know what else has been > compromised. > > Is there a way to protect my server against a new infection with SuckIt?
Marcus, A system is usually exploited in two steps. First an attacker gains temporary root access. Second the attacker installs a rootkit. The root kit is used to conceal the attack and provide backdoors into the system. Since root can do anything one cannot prevent the installation of a rootkit by root. One has to examine logs, bash histories, time stamps and whatever else it takes to determine how the attacker gained temporary root access. Then you have to fix that security hole, then wipe and reinstall. For example, we recently had a rootkit installed on a server. The attacker exploited a known webmin vulnerability[1] to read /etc/shadow, cracked an unprivileged user's password, used FTP to upload a trivial CGI script to the user's account, and then used the same webmin vulnerability to execute the CGI script as root. The logs revealed the attack vector and a webmin update[2] secured it. --Mike Bird [1] http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-3392 [OT] As an aside, this webmin vulnerability is assigned a low (2.3) priority by the bureaucrats at the US department of homeland security as it "Allows unauthorized disclosure of information". We have contacted them but they are unwilling to change the priority despite that fact that "reading arbitrary files" in this case allows reading arbitrary files as CGIs which always execute with root privileges. [/OT] [2] http://prdownloads.sourceforge.net/webadmin/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
