VanLUG Email Archive
Andrew Daviel (andrew@daviel.org)
Sat, 19 Feb 2000 23:55:37 -0800 (PST)
In the aftermath of a (relatively minor) breakin over Christmas, I have
written a little rootkit detector/trap.
Basically, it does automatically what one would do from the console if
one detected an intruder (successful hack)
- see who's logged on from where
- tell someone
- disconnect the network
It detects tampering with (a small number of) system files or running a
packet sniffer, regardless of how access was obtained. It's designed to be
small, simple to install on standard distros (well, RedHat anyway),
stealthy, generate very few false alarms, and not interfere with normal
usage (such as analysis jobs that might be running).
Available from http://vancouver-webpages.com/rkdet/
Improvements and suggestions welcome!
(pleae mail directly)
(for those interested, the intruder first compromised a UBC system Dec
28th, probably using wu-ftpd, set up a packet sniffer, grabbed some
passwords for some of ours, logged onto an Alpha, hopped to a Linux box
(which didn't allow telnet from offsite), got root via (I think) a crontab
exploit, set up another packet sniffer and a rootkit, and hopped to
another Linux box, at which point someone noticed and unplugged things...)
Andrew Daviel
TRIUMF, etc.
-- This message came to you via the Vancouver Linux Users Group mailing list. For unsubscription instructions do not email the list, but rather send mail to <vanlug-request@gweep.bc.ca>.
This archive was generated by hypermail 2.0b3 on Sun 20 Feb 2000 - 07:56:39