sigh.

Apr. 5th, 2005 09:05 am
rmd: (Default)
[personal profile] rmd
my home machine got rootkitted over the weekend. must rebuild tonite.
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Date: 2005-04-05 01:18 pm (UTC)
muffyjo: (Default)
From: [personal profile] muffyjo
that's a bad thing, right? Oh dear.

Date: 2005-04-05 01:32 pm (UTC)
From: [identity profile] sparkymonster.livejournal.com
Apply bourbon to yourself while doing so.

Date: 2005-04-05 02:02 pm (UTC)
ceo: (Default)
From: [personal profile] ceo
Oh, suck. :-(

On that subject, can you recommend a tool for detecting whether one has been rootkitted? I think I should keep a closer eye on my machine than I do.

Date: 2005-04-05 02:19 pm (UTC)
coraline: (Default)
From: [personal profile] coraline
me too :/

Date: 2005-04-05 05:24 pm (UTC)
From: [identity profile] deguspice.livejournal.com
I'm not a Linux person, but I've heard people talk about using Tripwire to detect changed files. I think it does a checksum of important files and then periodically it recomputes the checksums and looks to see if anything has changed.

Date: 2005-04-05 08:40 pm (UTC)
From: [identity profile] frotz.livejournal.com
this (http://www.chkrootkit.org/) can be handy for the garden-variety varieties.

Date: 2005-04-05 09:41 pm (UTC)
From: [identity profile] rmd.livejournal.com
for redhat, "rpm -Va" checks all rpm-installed files and verifies them. look for the "5" in the status field on things like ls, ps, and netstat. that's a big danger sign.

blatant things that happened to me were my password getting changed on remote machines and local syslog files being blown away. also, tcpdump or snoop showing unusual network activity, or nmap (ideally from another machine) finding unusual ports open.

Date: 2005-04-05 03:28 pm (UTC)
From: [identity profile] lillibet.livejournal.com
Sorry to hear it.

How was Spamalot?!

Date: 2005-04-05 03:44 pm (UTC)
From: [identity profile] smeehrrr.livejournal.com
Owie. How did that happen?

Date: 2005-04-05 03:49 pm (UTC)
cz_unit: (Default)
From: [personal profile] cz_unit
That sucks. What tools were used?

I notice a lot of rooting attempts on alembic, but apparently haxorz have no clue how to crack a NeXTStation anymore.

CZ

Date: 2005-04-05 03:59 pm (UTC)
annathepiper: (Default)
From: [personal profile] annathepiper
YEEP! Sorry to hear that, hon; I still grimace at the major pain in the ass it was for us to get murkworks.net back online last summer after it happened to us. :/

Date: 2005-04-05 05:03 pm (UTC)
From: [identity profile] lyonesse.livejournal.com
bummer! what os/distro, and what rootkit, if you know?

i once had somebody break onto my rh5 box, and spend what appeared to be an hour trying to rootkit it with kits for rh6 - 9. gave me a bit of a laugh, and an excuse to move to debian :)

Date: 2005-04-05 05:33 pm (UTC)
From: [identity profile] candle-light.livejournal.com
That sucks. Any correlation with the porklips stuff?

Date: 2005-04-05 08:51 pm (UTC)
From: [identity profile] rmd.livejournal.com
*sigh* yeah. i can't tell for sure, but chances are good that i was the vector in on that. i think they got my password via a hacked ssh on my machine or a password logger or something.

Date: 2005-04-05 07:10 pm (UTC)
solarbird: (Default)
From: [personal profile] solarbird
Ah! Now I know why xR is gone.

We can temphost for you if you need it.

Date: 2005-04-05 08:52 pm (UTC)
From: [identity profile] rmd.livejournal.com
thanks. if i don't get things fixed tonite, i'll take you up on that.

(i sent mail out to a bunch of folks about it, but i'd mentioned it over the phone to q (since she gets her mail there) and she said she'd tell you over im)
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Profile

rmd: (Default)
rmd

June 2025

S M T W T F S
1234567
89 1011121314
15161718192021
22232425262728
2930     

Most Popular Tags

Page Summary

Active Entries

Style Credit

Expand Cut Tags

No cut tags
Page generated Jan. 22nd, 2026 02:01 pm
Powered by Dreamwidth Studios