Tripwire would be a good topic. Regards, Dustin
On Fri, 2001-09-07 at 08:35, john beamon wrote: > There's a post that will probably make it around every linux/oss news site > within a few hours about a Linux trojan. I read the original at the link > below, and it's a nice piece of work. This trojan can infect Linux ELF > binaries, adding about 2700 bytes of its own code. It doesn't affect the > function of the program it infects, but it does change the modified dates > and size, which can be spotted by tripwire. > > The trojan contacts 212.15.64.41:80 with an HTTP GET request, which can be > spotted by a firewall or web proxy. Upon receipt of the http request, the > remote site can make requests back to the trojan for a remote shell > access. If the infected program is run by a privileged user or, worse, a > scheduled SUID program, the remote shell has their privileges. n an > infected system, the backdoor process creates a lockfile > /tmp/982235016-gtkrc-429249277. The presence of this lockfile is an > indication for a potential infection with Remote Shell Trojan. > > http://www.qualys.com/alert/remoteshell.html > > This has the potential to be worse than the Lion worm, but it's also > identifiable by tripwire and some log monitoring. I think this would make > an excellent topic for a LUG, especially while it's fresh. I haven't done > tripwire, <blush>but I've skipped over countless magazine articles about > how to set it up</blush>. Is there a tripwire guru in the house who'd > like to tackle it for us? > -- Dustin Puryear <[EMAIL PROTECTED]> http://members.telocity.com/~dpuryear In the beginning the Universe was created. This has been widely regarded as a bad move. - Douglas Adams ================================================ BRLUG - The Baton Rouge Linux User Group Visit http://www.brlug.net for more information. Send email to [EMAIL PROTECTED] to change your subscription information. ================================================
