Log in

No account? Create an account
Baxil [bakh-HEEL'], n. My Sites [Tomorrowlands] [The TTU Wiki] [Photos]
View My LJ [By Tag]

June 27th, 2007
12:39 am
[User Picture]


Previous Entry Share Flag Next Entry
can't sleep, server will eat me
Thirteen-hour day for me (and 16 for roaminrob; we had a server go down at work, had to install a replacement from scratch once fsck failed (fortunately we have good backups), and then ... discovered the backdoor(s). I've been most of the last six hours manually combing the /home directory tree with find because off-the-shelf rootkit detectors typically ignore it, and we had at least half a dozen scattered, hidden directories with root executables, images-with-embedded-files, and other fun things.

Anyway. Be that as it may, a quick request for my musically inclined readers: Anyone have a copy of just the last half of (the non-acoustic) "Layla"? I mean the extended instrumental jam with the piano and the guitar.

Current Location: ~/brainstorm
Current Mood: tiredtired
Tags: ,

(5 comments | Leave a comment)

[User Picture]
Date:June 27th, 2007 05:33 pm (UTC)
off-the-shelf rootkit detectors typically ignore it

I hadn't been aware of that, and I'm glad I am now. Why would that be, though? If a user's password gets compromised and a cracker gets in, the one thing they're guaranteed access to is some portion of /home. Are the rootkits just looking for the results of holes such as buffer overflows, not direct password cracking?

I remember the one time we got hacked here, and it was a nasty feeling. I hope that's the last time for a while that you have to fumigate a server...
[User Picture]
Date:June 27th, 2007 09:35 pm (UTC)
Bax has been doing the heavy lifting on the rootkit stuff on this one, but if I were to hazard a guess, it would be that the rootkits mostly work by checking hashes on common binaries, parts of the kernel, and so on. It would actually be kinda hard to check random stuff in users' home directories for stuff that might be a rootkit.

Plus, what we've been finding a lot of are things in users' home directories that are root:root --------rwx.
Date:June 27th, 2007 10:42 pm (UTC)

I'm pretty sure I've seen tiger check for strange SUID/SGID files and device nodes and stuff in /home. Of course, that doesn't help much if your rootkit is clever and has already lodged itself in the kernel.

[User Picture]
Date:June 27th, 2007 08:24 pm (UTC)
Yiiikes. You don't want to hear this, but rootkits have gotten sufficiently subtle that the standard advice is "nuke it from orbit".
[User Picture]
Date:June 27th, 2007 09:51 pm (UTC)
We built an OpenBSD 4.1 server from scratch, and have been exceedingly selective about which files we've copied over from the old backups.

I'm fresh out of tactical nukes, but I did drop a crowbar on it from orbit.
Tomorrowlands Powered by LiveJournal.com