[sclug] Adore root kit

J.Mann jon at spinis-associates.co.uk
Fri May 27 09:55:58 UTC 2005


> I thought naively that the purpose of a root kit would be to have 'silent'
> root access to the server to do whatever whilst the owner is unaware ?

Yes, that is the idea.

Perhaps the person who changed the root password is not the same person
who installed the root-kit?

> Anyhow, server will be re-installed. 

Good plan. Do not trust anything currently held on the server.

If the machine has been compromised then its backups may also be
compromised. Malicious code may have been inserted into your code 
repositories and susequently backed up. Beware of this.

Carefully examine your other machines for signs of exploits. They may
also be victims.

> But prior to getting to docklands, is there anyway I can gain back a
> root account ?

Have an onsite techie change it for you. However, you cannot be sure
that the "hacker(s)" won't still have access.

Reinstall the machine ASAP. Keep it firewalled and fully patched.
Restore data from a trusted backup.

Best regards,
Jon Mann.


On Fri, May 27, 2005 at 09:56:30AM +0100, David Herring wrote:
> 
> Hello again,
> 
> Obviously a two question day....
> 
> We just had one of our devel servers 'hacked' from Russia.
> 
> It's running a 8.0 Suse, so probabley exploited some vunerability in OS.
> 
> I know the adore root kit has been installed, but the strange thing 
> isthat they have also changed root passwd. This is odd, since it tells 
> me the machine has changed - i.e I thought naively that the purpose of a 
> root kit would be to have 'silent' root access to the server to do 
> whatever whilst the owner is unaware ?
> 
> Anyhow, server will be re-installed. But prior to getting to docklands, 
> is there anyway I can gain back a root account ? I can login as a user 
> account - can see the adore root kit which has been installed, etc. If 
> anyone things they 'become' root on such a system, then please let me know.
> 
> Thanks dave
> 
> -- 
> 
> David Herring
> ---
> NetFM Ltd
> T: 01344 769068
> M: 07973 673027
> ---
> http://www.journey2share.co.uk/
> The number 1 trusted car share solution
> 
> _______________________________________________
> sclug mailing list
> sclug at sclug.org.uk
> http://www.sclug.org.uk/mailman/listinfo/sclug
> 


More information about the Sclug mailing list