Rookit infections: AARRGH!

[Fred]

I'm about ready to pull my hair out.
This is the 2nd time I've had to deal with a rootkit infection, eating
up my precious time and resources away from being productive.

I've installed chkrootkit on the suspect server and found that a number
of the executables have been infected. I got suspicious when the server
mysteriously crashed. Sure enough, it's infected. And it's an FC3 system
to boot. The last system to be infected was a RH9 box.


What I'd like to know is how my systems are being cracked. What is the
port of entry(!), how are my systems broken into. What's the latest news
on this.

I am suspicious that they are somehow breaking in through ssh -- my logs
show lots of suspicious sshd authentication failures. But my root
password is pretty sound, a near random mixture of numbers and alpha
characters. They must be breaking in through another account with a
weaker password. But I'm not sure of this.

I have taken countermeasures. Firstly, I have changed the ssh port
number. Not the most secure approach, granted, but at least their
automated attacks will be foiled somewhat, since they'll have to do more
work at hitting all of my ports -- and will probably not bother and move
on to the next server.

Secondly, on the infected machines, I use forced RPM installs to
overwrite everything, then follow up with a run from chkrootkit. This
seems to work, eliminating the need for me to burn down the box and
restore everything cleanly. Again, not a perfect solution, but seems to
work for now.

Thirdly, I have set up chkrootkit to be run daily as a cron job, with
the results emailed to me.

Well, that's it. Any suggestions will be greatly appreciated.

-Fred