Box Cracked ( Was: thank's )

bob.smith at kolumbus.fi bob.smith at kolumbus.fi
Sun Oct 21 05:33:48 UTC 2007


Les Mikesell <lesmikesell at gmail.com> kirjoitti: 
> bob.smith at kolumbus.fi wrote:
> >>
> >> Something strange in those script? Something that lead you to think 
> >> you've a rootkit installed?
> >>
> >>
> > I do this to get to know the system, I have been cracked many times and 
> > quite honestly have enough of it. Either I get to know my system deep 
> > down, or I run the box online all days all nights without protection.
> 
> The software included in the distro is fairly secure if you keep it up 
> to date with frequent 'yum update' runs.  If you have been cracked 'many 
> times' it is likely to be because you have weak passwords that someone 
> is guessing through ssh, or you haven't kept the system up to date as 
> new exploits are discovered and fixed, or you have added 3rd party or 
> your own programs (like a lot of php web stuff...) that are insecure and 
> haven't kept them up to date.
> 
> -- 
>    Les Mikesell
>     lesmikesell at gmail.com
> 
> -- 
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
> 



> > The rootkit designs I saw were aimed at the kernel for some reason. No 
> > where could I find mention of a Linux rootkit.
> > 
> 
> FWIW, I been running rkhunter on Unix and Linux systems for several
> years, on a regular basis.  I also occasionally run chkrootkit, but
> I like rkhunter better.  It checks for more than 100 rootkits and
> trojans <http://www.rootkit.nl/projects/rootkit_hunter.html>
> 
> And it checks md5 values for a number of files, in the easiest case
> against the rpm db.  e.g. rkhunter -c --pkgmgr rpm
> 
> Regards,
> Doug Wyatt
> 
> -- 
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
> 


hi, 
well, I found rkhunter, ran it, and it did output a few warnings. Now...I feel more comfortable knowing about rkhunter, which I did not know before this thread. 

A good thing would be to (for each distro) somehow document what is normal on a default installation(if such exists). For example the numerous unix sockets that are in use on my box worried me a lot. Of course they as someone mentioned "don't leave the system", but that didn't occur to me. 

regarding the /tmp directory, there is an entry /tmp/keyring-something. Does anyone know what the term keyring means in the security context?

thank you for your advice and help



-- 





More information about the users mailing list