You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2007-03-17 23:59:36
- kleptophobiac
- Member
- From: Sunnyvale, CA
- Registered: 2004-04-25
- Posts: 489
Friend's box got rooted - now what?
A friend of mine changed his root password to something idiotic after I set up his system, and some bot dictionary attacked his box and got root access. Now there's ttymon and tymon running in the background, and I'm not sure where it's being launched from. I've reinstalled archlinux kernels and coreutils, and chkrootkit came back clean (though I *KNOW* ls was not the original utility)
Anyway, what should I do to help him clean up his box? Reinstalling from scratch would be a bit of a pain, but it's what I'm going to try to convince him of doing.
Offline
#2 2007-03-18 00:31:20
- skymt
- Member
- Registered: 2006-11-27
- Posts: 443
Re: Friend's box got rooted - now what?
Tell him you really can't tell if there's a rootkit (chkrootkit only checks for some common known rks and signs of rks) and point him here.
Also, any hacker worth his bandwidth will try to open as many hidden back doors as possible. It's almost impossible to know for certain that you've gotten rid of all of them. Reinstallation is really the only practical option.
Offline
#3 2007-03-18 01:17:15
- Snarkout
- Member
- Registered: 2005-11-13
- Posts: 542
Re: Friend's box got rooted - now what?
Reinstall if you have good reason to believe it's ever been compromised. I always recommend chkrootkit and rkhunter, but the reality is that a good kit will render them useless in any event. Booting from a forensics disk and running things from there is best.
Unthinking respect for authority is the greatest enemy of truth.
-Albert Einstein
Offline
#4 2007-03-18 16:29:05
- kleptophobiac
- Member
- From: Sunnyvale, CA
- Registered: 2004-04-25
- Posts: 489
Re: Friend's box got rooted - now what?
I booted from the archlinux install disc, mounted the root partition, and ran rkhunter. It found SHV4/SHV5. Using the log files that created I went and deleted everything it found. Now on boot there are no longer any fishy looking processes, and the machine's CPU usage isn't 50-60% while idling at a console.
BTW, my friend discovered the compromise of his system when he got an email from residential computing saying that sysadmins from germany were complaining about his box DOSsing them.
I'm still working on him to nuke and start over, but it'll probably take another compromise before he agrees to it.
Offline
#5 2007-03-18 18:01:28
- japetto
- Member
- From: Chicago, IL US
- Registered: 2006-07-02
- Posts: 183
Re: Friend's box got rooted - now what?
Hopefully he learned his lesson 
Offline
Pages: 1