Hey thanks everyone for the files and suggestions...we quickly learned that a trojaned ssh had been capturing pws...booo. So, we found the sk 'sucKit' rootkit installed, used it's own uninstall routines to remove it. Unfortunately s/he was in for a bit of time before we caught on so the logs had rotated away :( not much to traceback through. Our question is, what was the point of entry? The destination was /tmp, of course. No PHP/MySQL installed Possible Insecure/Expolited CGI Possible internal Possible sniffed/guessed/bruteforced pop3/ftp pwd = ssh pwd Possible incidental pwd capture from one of our users ssh-ing to us from a compromised server. Lesson learned: Despite the enormous volumes of information regarding the security status of your boxen that pass before your eyes, and no matter how much you distill it before it reaches you, you will still miss important things because there's just So Much. I never did install the keylogger, we figured it out and shut it down. Thank you all and goodnight. > -----Original Message----- > Sent: Monday, March 11, 2002 4:01 PM > To: forensicsat_private; incidentsat_private > Subject: Keylogger Needed Quick! > > > We got a intruder cornered and need to install a keylogger quick! Anyone > got a good one that I can drop in real easy and quiet-like to nab > this guy? > He comes in right around the same time and that time draws near. > > OS: RedHat Linux 7.1 > > I was confused by the ones listed at PacketStorm, most of them are for > Windoze. Any help getting this installed would be appreciated! > > -t > > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Mar 17 2002 - 05:05:21 PST