On Sat, 26 Feb 2005, Jonathan Hutchins wrote:
While it's clear somebody took advantage of a vulnerability to install a trojan, I think that "rooted" implies a lot more to you than what actually happened to this system.
"Rooted" to me means that an unauthorized person has gained root access. Since your disk was wiped, this frankly has _got_ to be the case. To me, "trojan" refers to the method of replication and has nothing to do with the function of a program. The question to me is, does the "rootedoor" "trojan" provide a root shell if running as root? The answer is certainly yes, although I can't really find any information about it.
We'll probably never know what happened to the system the day it was "cleared". I have good reason to believe that except for vulnerabilities, the restored image was uncompromised, and through exhaustive examination I belive that the system is currently uncompromised. Thirty-six hours of running with no suspicious behavior confirm this.
I suggest remote logging so that you will have some forensics if it ever happens again.
I don't feel there's any need to panic and wipe the thing.
I didn't suggest that you should. That's your call, not mine. Even if you do wipe it, there are always user programs that will be replicated. I just think that you should consider using known safe utilites to inspect the machine, like from a Knoppix CD. Make sure nothing is running using netstat that you can't explain, or isn't necessary. Check all your cron entries, sometimes backdoors only run on alternate Tuesdays from 4 till 4:15. I don't really do the RedHat thing, but update all the programs that have security advisories. Reinstall login, ssh, telnet, ftp, apache, anything that has a port open to the outside. Check all binaries in cgi-bin. Actually, reinstall everything if it's an old box. Run nessus against it from inside and outside. These rootkits are pretty damned sophisticated. Anybody who really knew what he was doing, you'd probably never find out that he was there in the first place.
Having said that, since whomever got in wiped the disk, which is not the act of a "professional", it's much more likely that your backup image is okay. My opinion doesn't make it so, however. Maybe it was a first-timer who got nervous about being able to cover his tracks. Who knows?
*If* you restored a pre-crack backup and *if* you plugged the hole(s) that were exploited, your system is safer now than before the crack. Those are two big ifs, since you don't know exactly when and how it was compromised. But the only way to have a perfectly secure box is to unplug it and padlock it in a bunker somewhere. Maybe with Dick Cheney.
I'm no "security expert". I subscribe to the debian-security mailing list and read the occasional article and treatise. I try to stay on top of possible root exploits, but I'm more like the mule who gets whacked by a two by four and gains some knowledge about the nature of lumber in the process.
Regards,
-Don