Found, a new rootkit

Gene Heskett gene.heskett at verizon.net
Sat Apr 1 17:08:58 UTC 2006


On Friday 31 March 2006 19:29, John Summerfield wrote:
>Gene Heskett wrote:
>> We've cut our bandwidth use in half by getting rid of that.  We also
>> checked the logs and added several dozen more addresses
>> to /etc/hosts.deny,
>
>That is fairly useless. IP addresses of attackers change as quickly at
>IP addressess of spammers, and they have so many it's like trying to
>fence off the porn sites of the world.
>
>More important is to discover how the rogue gained entry and to close
>that loophole. How did the shell script get there? Whose account was
>used? Does .bash_history include useful clues about what was done? Did
>the attacker send email after gaining entry? If so, the recipent
> domain (eg Yahoo) may be interested.
>
>Root's account, eh? Disallow password-based authentication for root.
>Ensure that only those who need it have shell accounts, and that those
>have good passwords. _I_ have incoming ssh land on my personal
> desktop, there there is only my password to worry about.

root ssh is denied. To do normal maintainance we log in as ourselves & 
su -.

-- 
Cheers, Gene
People having trouble with vz bouncing email to me should add the word
'online' between the 'verizon', and the dot which bypasses vz's
stupid bounce rules.  I do use spamassassin too. :-)
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2006 by Maurice Eugene Heskett, all rights reserved.




More information about the fedora-list mailing list