[Lincs] lug.org.uk has been compromised! My 2p
Peter Cooper
peter at petercooper.co.uk
Mon Nov 22 15:55:45 GMT 2004
On 22 Nov 2004, at 15:34, Chris Marr wrote:
> How do you get a backdoor installed (whatever software it came with)
> in the
> first place? I'd have thought that lug admins would 1) get the
> software from
> a reputable source (ie, download from apache) to have some level of
> culpability, or 2) download source, check it for issues (ie backdoors)
> and
> then compile and test it.
In the open source world, backdoors are rarely built-in to the software
you download and install. What usually happens is someone manages to
break into the server and either swaps your software with some
nastyware that has a backdoor, or installs a backdoor into your
existing software with a module or similar.
The cracker then usually leaves the server running normally until they
or their "group/clan/krew" wants to use the box for something or other
(attacking another machine, launch a DoS attack, set up an open mail
relay for spamming, etc).
You can run something like chkrootkit every now and then to detect the
most common exploits, although it isn't fool-proof. This is why it's
important to have a good firewall, chroot your shells, limit shell
access to only "trusted" users, and to keep a good eye on logwatch,
chkrootkit, and such.
Pete
More information about the Lincs
mailing list