Dear Dr. Moyna,
Maybe you have the chance not to format your disk and re-install the OS.
Please visit
http://www.sans.org/newlook/resources/IDFAQ/knark.htm
http://pweb.netcom.com/~spoon/lcap/
to find a tool named lcap.
Hope this helps.
Cheers,
Tong
Guillermo Moyna wrote:
> Hi gang,
>
> This one is unrelated to NMR, but important if you have a linux box
> (i.e., new brukers will) with all your data on it.
>
> A little web server that we have here was hacked last weekend with a
> very pernicious rootkit called 'knark'. The hacker got into the
> machine, probably exploiting a vulnerability in one of the ports not
> protected by our firewall (great firewall, uh?), then installed this
> program, and got root access. The program (actually, a gzipped
> 'distribution' with makefile and everything) was installed deep in
> /dev/, so it would be hard to find find. He also replaced a loadable
> kernel module by a trojan that would open the ports/services he
> wanted open after reboots. He also installed a variety of trojan
> replacements for common system command (ps, ls, ifconfig, netstat,
> etc., etc.) that made the hacker's processes hidden to the user, as
> well as other programs, such as 'rootme', which gave him root
> prvileges with no passwords, and a sniffer, so he could look at
> usernames/passwords that were issued from that machine. He/she also
> wiped out the /var/log directory to cover his tracks. This was his
> mistake, as the web-server died when /var/log/httpd was gone, and
> that's how I realized we were being hacked.
>
> In any case, the only solution was to unplug the thing from the wall,
> and now we are consulting with our isp provider on the best route to
> take to make our server secure. I looked at 'tripwire', but
> apparently knark can get around tripwire. I'm certain that we'll have
> to re-format the drive and re-install the OS.
>
> Take-home message: If you are running brukers with linux, be VERY
> careful about these things. I also read that if the hacker had been a
> little less sloppy, we would not have noticed anything abnormal! If
> you need to have the linux box on the network (even a private one),
> remove ANY unused service, and firewall everything else. Also, if you
> are not doing development of programs, disable the C compilers, so
> that these things cannot be installed.
>
> Just though I share my frustration with the group...
>
> Cheers,
>
> Guillermo
>
--
Yu-Feng Tong||ͯÓî·å
NMR Group, Dept. Enzymology
Inst. Biophysics, Academia Sinica
15 Datun Road, Beijing, P.R.China, 100101
_______________________________________________________________________________
Life is an everlasting game of Weiqi(igo, baduk).
Received on Thu Dec 13 2001 - 09:55:12 MST