Everyone knows the Internet is a dangerous place. Folks who've been on this list for a whileave probably heard me harp about security by now. If you have, then you know I'm a nut when it comes to protecting your system - AND - protecting others FROM your system if it's been cracked.
It is for this reason that I'd like to suggest the following. Take 10 minutes to download, compile and run chkrootkit on your Linux systems. Review the output to see if you've been compromised. If you are, take the appropriate steps to isolate and/or repair the damaged system. If you're not familiar with chkrootkit already, please review what this fine program can do for you at http://www.chkrootkit.org. Chkrootkit is an easily installed utility that checks for the existence of rootkits, trojans, LKM's, sniffers, hidden directories, etc. Quite simply, if your system has been cracked, chkrootkit should be able to tell you so. For anyone that has questions about chkrootkit, please don't hesitate to contact me on- or (preferably) off-list. Some tips to using chkrootkit: - Use md5sum to verify your downloaded tarball - Use trusted binaries. There are a handful of system utilities (awk, cut, netstat, etc.) that are used by chkrootkit to analyze the system. As there's a chance these files have been modified by exploit, upload a tarball of these from a compatible system to a temporary directory. Use the "-p" flag to tell chkrootkit where to find the preferred binaries. - Chkrootkit is a "one-time-use" utility. It isn't meant to sit statically on a system like a host IDS system. Use it once, remove it. Download it a month later, test again. Don't bother leaving it on the box... you never know when *IT* might be compromised, affecting your tests. I know that a lot of folks will probably blow this off since most still don't take security as seriously as they should. Nevertheless, if only 1 out of 100 users take my advice... and 1 out of those 100 discover and isolate an exploited server... that's potentially thousands of exploited servers that have been pulled offline and aren't hammering my firewall with nonsense. Why did this end up sounding like a chain letter? ;-) -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
