On Fri, Sep 16, Nick Rout wrote: > I thought I had better start taking a look around and tried to emerge > chkrootkit, but this bombed telling me it failed to untar the source > code :(
Nick, trojan binaries are often commands such as ls,find,ps,netstat,less. Chkrootkit uses these commands so for a proper scan use the -p path option 'chkrootkit -p /path/to/trusted/binaries' by copying trusted binaries from the linux install cds. 'chkrootkit' is a shell script which works the "first" time provided you use trusted binaries. > this weekend I have the choice of doing further tests, or doing a complete > re-install (/home is on a separate partition). What do people recommend? The 'find' command might reveal something but a reinstall is the favoured option. find / -mtime -3 > foobar.txt find / -user root -perm -4000 -print > foobar.txt Recommended sites http://www.linuxsecurity.com http://www.cert.org newsgroup comp.os.linux.security Samhain has superceded tripwire. http://la-samhna.de/samhain/index.html Samhain guide http://www.newsforge.com/article.pl?sid=03/07/29/1727249 > I guess the real concern is how they managed to log in in the first > place. Yes, I should not have had the (default) option of allowing root > login via ssh. I don't agree with openssh being installed insecurely with default root login. Dictionary attacks and probes can be avoided by using alphanumeric user names and moving ssh from port 22. hth, keith.