[Cialug] rootkit

David Champion cialug@cialug.org
Thu, 10 Mar 2005 10:45:34 -0600


If you have it on a really restrictive firewall. Some rootkit / trojans 
will make connections back to a server via IRC or some other protocol, 
and many firewalls (i.e. linux w/ ipmasquerade) will allow that 
connection by default.

It would be useful to know what service this rootkit broke in with. And 
what OS you were running, and if it was patched up recently.

-dc

admin wrote:
> ok this raises a second quesiton. would firewalling it (if i can't find
> the infected files) be sufficent to keep it from doing further damage? or
> could my box be a zombie now? what exactly do rootkits do?
> 
> 
> -----Original Message-----
> From: Jerry Weida <jweida@gmail.com>
> To: cialug@cialug.org
> Date: Thu, 10 Mar 2005 08:56:46 -0600
> Subject: Re: [Cialug] rootkit
> 
> 
>>Well, as many people will tell you, the only safe thing to do is wipe
>>the system and start over.  Depending on the rootkit installed, you
>>may be able to clean it and replace any trojaned executables from your
>>original install source.
>>
>>
>>On Thu, 10 Mar 2005 09:02:25 -0600, admin <admin@c0wzftp.com> wrote:
>>
>>>just ran chkrootkit on my server and found out there may be a damn
>>
>>rootkit
>>
>>>installed. what to do what to do?
>>>
>>>any help here would be hot.
>>>
>>>-------------------------
>>>want an email address ending in @c0wzftp.com?
>>>send an email on over to admin@c0wzftp.com
>>>
>>>_______________________________________________
>>>Cialug mailing list
>>>Cialug@cialug.org
>>>http://cialug.org/mailman/listinfo/cialug
>>>
>>
>>_______________________________________________
>>Cialug mailing list
>>Cialug@cialug.org
>>http://cialug.org/mailman/listinfo/cialug
> 
> 
> 
> -------------------------
> want an email address ending in @c0wzftp.com?
> send an email on over to admin@c0wzftp.com
> 
> 
> _______________________________________________
> Cialug mailing list
> Cialug@cialug.org
> http://cialug.org/mailman/listinfo/cialug
>