On Tuesday 23 January 2001 12:39 pm, you wrote:
> However, I was UNABLE to find the processes in the ps
> -ax output?????? I've never seen this before. Is this a new exploit?
> Imagine attempting to find a command called t0rntd on your computer, and
> not being able to detect in the Process List.
> called /usr/src/.puta/stachel/t0rntd
You have been hit with a well known and oft publicized (in certain
circles) by the t0rn rookit. Among its various features are recompiled
versions of ps and ls that specifically ignore the processes and
directories this kit uses. Another interesting feature of this
particular rootkit is the inclusion of the Stacheldracht DoS client, your
box may have been participating in Denial of Service attacks as well.
> wuftpd packed version 2.6.0. PLEASE REMOVE THIS PACKAGE FROM YOUR
> ENVIRONMENT!
wu-ftp has been known to have problems in the past and various security
updates have been released over the past year for this product, through
the 2.6.0 cycle. The latest release of this package is 2.6.1 which itself
fixes certain security holes. It is NOT the responsibility of the vendor
of the distribution to maintain the security of individually installed
boxes. YOU are responsible for the security of the boxes you control.
This includes monitoring things like the Mandrake website Security section
or subscribing to one of the many security related mailing lists in order
to keep up with the various new releases of software that is running
currently on your machines.
That being said however, it would be a nice thing if someone could include
with the older ISOs an update or errata sheet that lists the packages that
need to be updated from a security standpoint.
> Any answers to my questions are appreciated. I have already contacted
> the FBI and I am monitoring my environmnet with a closer eye on the
> logfiles.
1) Make a bitstream copy of the hard drive to new media. Make sure you
find a product that can cryptographically seal the copy. If you have
already made alterations to the drive and its logs, it will be forensicly
useless to the FBI.
2) Reformat the old drive. It is impossible to attempt to recover the
box. You will not find all the of things that may or may not have been
done to the box in the time it has been rooted. Reinstall from trusted
media (ie the original install disks), make note of all software that is
on the security update section of the Mandrake site and UPDATE it.
Restore your data from backups, manually. Why manually? Because you may
have backed up the trojaned version of a command or parts of the rootkit.
3) Get yourself familiar with the logs and use of a log watching system
like LogSentry from Abacus Software (or Psionic I forget what they call
themselves now) or Swatch or logwatch or the like. Look into using a
filesystem integrity tool like Tripwire, Free Veracity, or the homegrown
versions. Check into your firewall configuration and if at all possible,
get the firewall on its own box.
4) Realize that security is a process not a state. 100% security can only
happen with 100% network non connectivity, on a box with no powersupply.
Software packages need constant monitoring for updates and patches, kernel
software needs the same monitoring. Log monitors and IDS mean nothing if
noone checks the results.
5) Look into the the software packages that you are using and running on a
box. Was ftp supposed to be running on this box? If so, check into
proftpd, supposedly securer and easier to deal with than wu-ftpd. Check
the security backgrounds and current status of the packages you intended
to run. A little planning goes a long way in securing your boxes.
Sorry to get on the lecture horse but security is extremely important in
this day and age, and while Mandrake and the other distributions have made
strides in attempt to make the application of security measure easier, it
is still in the hands of the administrators, and will be for a long time.
I look forward to see what the new Mandrake sponsored Bastille team is
going to do. But all of these things are all just tools to make our jobs
easier, not to do our jobs for us.
I'll stop now
--
Matthew Micene A host is a host from coast to coast,
Systems Development Manager and no one will talk to a host too close
Express Search Inc. Unless the host that isn't close
www.ExpressSearch.com is busy, hung or dead
