[PLUG] Questions regarding compromised system
drew wymore
drew.wymore at gmail.com
Fri Jan 19 21:45:56 UTC 2007
On 19 Jan 2007 13:32:43 -0800, Russell Senior <russell at personaltelco.net>
wrote:
>
> >>>>> "jason" == jason justman <jason at jasonjustman.com> writes:
>
> jason> NANOG has had a recent discussion about the dangers of CACTI,
> jason> referencing this secunia vulnerability:
>
> jason> http://secunia.com/advisories/23528/
>
> That's the one. The logs indicate that the exploit was trying to
> download a file called ping.txt. However, our captive portal (on a
> different box) was redirecting them to an auth page instead, which
> partially thwarted them. Also, cacti was running as a user that
> didn't have write access to the directory where ping.txt would land.
> We do have a 1.7 gigabyte /var/log/apache/error.log file to show for
After having a couple of machines compromised (which I'm not proud to admit)
I did quite a bit of research and found that LCAP is very nice.
http://www.securityfocus.com/tools/882
One of the write ups I followed suggested installing LCAP then running
chkrootkit which has a list of critical binaries it looks at then making
those binaries immutable and then removing the ability to remove the
immutable flag by way of LCAP ... the only way to bypass the security that
creates is physical access and booting into single user (atleast thats the
theory anyway).
So far since I implemented the above as well as several other security
enhancements to my installs I haven't had any trouble :-)
Drew-
More information about the PLUG
mailing list