[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [suse-security] Re: Backdoor over http(s)??

Hi Mátyás,

Am Die, den 13.01.2004 schrieb Mátyás Tibor um 17:46:
> So,
> my machine is a SuSE 8.2,
> with firewall (Shorewall), chkrootkit, tripwire, etc.

What does your tripwire log say?

Shorewall isn't too useful in this case because when a daemon (like
apache) that is allowed to receive connections from the outside has a
weakness this is beyond any firewall.

As for chkrootkit: you simply cannot rely on it when it uses executables
on your system to determine whether it is compromised. Imagine there is
a rootkit on your machine and it simply exchanges the system tools
chkrootkit uses with modified versions? You may want to mount some live
CD like Knoppix and use its unmodified chkrootkit along with the
unmodiefied binaries from the clean Knoppix CD.

> I check for updates fast every day(..)

Which doesn't affect software like PHPNuke which you didn't install via
yast. Yast can only update those packages maintained by SuSE.

> My SuSE runs since 7 days with the newest kernel (and patches).
> I don't know to much about the latest kernelbug, maybe was I too slow with 
> the update??

The latest kernel bug was a local one and required a local account to
exploit it.

> To be shure, I got a new chkrootkit tarball, but the machine is clean.
> Nothing is corrupted in /etc /var /usr /lib /bin /dev /root /sbin etc....

You can't be sure since chkrootkit kind of depends on a clean system to
say it's clean. See above.

> /srv ?? I don't check it with tripwire. Maybe in the future I should.
> I have made a grep for wget in cgi-bin/ --> nothing.

If you want to have reliable results with tripwire in the future you'll
have to reinstall cleanly ;-)

kind regards,

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here