First off, thank you to everyone who responded! Very helpful information that has allowed me to recover more gracefully on at least a couple systems. Second, just a brief recap. I'm fairly positive now that the first machine (of four) was compromised due to a missing patch. Being an older Cobalt RaQ4r, it likely presented itself as a nice, soft target. I believe that the other three machines (all RH8) were compromised after the attacker gathered info from the primary victim; info such as passwords, etc. On the 3 RH8 systems, I do show single ssh connections lasting a couple minutes at the same time list on the .sk12 folder and it's contents. This leads me to believe that the attacker used ssh to remotely install the rootkit, perhaps by cat the file and piping it to ssh, or something along those lines. The Cobalt system had to be completely rebuilt. It got eaten alive, basically. One of the RH8 systems also had to be rebuilt because it ceased wanting to reboot after I tried to manually remove the .sk12 directory (I had not seen previous notes about /sbin/init*). The second RH8 system (third victim) was rebuilt for good measure (it was a good opportunity to add another NIC for dual-homing). The final RH8/compromised system is currently still up, just with the network cable disconnected, so that it can be studied later. Again, I wish to thank everyone for their generous assistance with this matter! I've had my head in architecture design for so long that I was very out-of-sorts with the best method for incident response and triage. cheers, -ben ---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents
This archive was generated by hypermail 2b30 : Thu Apr 03 2003 - 16:56:23 PST