Rookit infections: AARRGH!

[Chris Brenton]

On Mon, 2005-05-09 at 13:15, Neil Joseph Schelly wrote:
>
> On Monday 09 May 2005 10:16 am, Kevin D. Clark wrote:
> >
> > You have a lot more information if you know that "user" logged in via
> > ssh and then su'd to root compared to just knowing that somebody
> > somewhere logged in as root.
> 
> That is an interesting perspective I hadn't considered.  I can think of more 
> than a time or two that would have been helpful in retrospect.  So perhaps 
> it's more of an administration best practice than a security best practice?

Both. ;-)

Actually, if you want to take it one step further, go with Bill's
comment about using sudo. This permits you to create a very complex
password for root but never have to hand it out (that way you can still
logon from the console using the account if needed). The additional
benefit of sudo is anything done at root level generates a log entry you
can Syslog off to another system.

I wrote up a paper on doing this on a Linux firewall here:
http://www.loganalysis.org/sections/parsing/application-specific/firewall-logging.html

In the iptables section at the top I give some sudo log entry examples.
Note you get to see who ran the command and even what switches were
used. Yes you can fall back on .bash_history, but usually that gets
cleaned of the useful info.

Also, go with Derek's comment about using public/private keys instead of
password authentication. Just make sure you disable password capability
once you get it setup. A great tool to help install keys is located
here:
http://www.stearns.org/ssh-keyinstall/

Finally, I'm not sure enough info has been presented to help Fred figure
out how they are getting in. Some missing pieces of info:
What ports are open?
chkrootkit will report the rootkit associated with each file, what kit
was reported?
Can the logs be trusted or are they stored on the same system?
Does .bash_history show anything useful, or has it been cleaned?

HTH,
Chris