[Nottingham] Rootkit/break in

Derek Huskisson nottingham at mailman.lug.org.uk
Tue Aug 12 11:33:01 2003


On Mon, 2003-08-11 at 14:02, Johannes Kling wrote:
> Hello,
> 
>   Recently a customers machine was cracked and had a (fairly clumsy)
> rootkit installed on it. To clean the mess up, I reinstalled pretty
> much all basic system binaries (ls, find, ps, kill, killall etc.), and
> did some further investigation. However, I was unable to identify
> exactly what rootkit was used. Google proved not helpful (both web
> and groups) and chkrootkit couldn't quite decide either unfortunately,
> so I was wondering if anybody else has seen this around before.
> 
> Here are more details:
> 
> 
Hello Jo
	Have you any more evidence that this machine was cracked? If chrootkit
is indecisive (how did it fail BTW ?) and there is no more evidence than
you've got I would think more in terms of file system corruption  to
start off with, rather than a break-in.
		Have you ran a file system check? etc etc.
			Derek
-- 
Derek Huskisson <derek@huskisson.free-online.co.uk>