my server was cracked; now what?

Vlad shiwan-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Tue Jul 18 15:45:01 UTC 2006


        So who is responsible for patching said server? You? Or your
generic server hosting company? (They sound like the $20 a month
random desktop hosting company. Ugh.)

        On the topic of rootkits, they've been pretty advanced for
years now. I'm talking about something that loads itself as a Kernel
module, then overwrites certain sections of the running Kernel so that
the system calls made by "lsmod", "ps", "ls", "dir", et al., are all
intercepted and modified as needed. Usually, they also provide CLI
command hooks to be able to dynamically hide/unhide processes, files,
etc. The only way to detect them is to power off, mount the
filesystems from another box, and see if there's anything left behind.
        Nowadays, we're headed into the Brave New World(tm) of
virtualizing rootkits - though, thankfully, Windows is the first to
get hit with those.

        I miss the old days of having different platforms available.
(Think DEC Alpha.) Security through binary incompatibility!


        -- Vlad

On 7/18/06, Aaron Vegh <aaronvegh-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org> wrote:
> > If I were
> > you're hosting company I'd pull the plug on the machine.
>
> I'm glad you're not my hosting company! :-)
>
> Like I said earlier, I've got an admin request in to reformat the
> drive and upgrade the OS at the same time. I agree with the dire
> threats uttered in this thread, unpleasant though they are to hear
> them. The thought that I can't trust the output of netstat or anything
> else is really scary...
>
> Cheers,
> Aaron.
> --
> The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
>


-- 
end
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml





More information about the Legacy mailing list