similar to: Unknown rootkit causes compromised servers

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ok...did some checking. I forgot to mention that I killed dead syslogd. Not just a -HUP but an actual kill and restarted. I did this several times. I was trying to get something else to work. Anyway, I killed it again this morning and restarted. The infect message went away immediately. Could this have been the problem? -

Does anybody have any issues with the AJAX code inside rails? Whenever i use any sites i have built, or even external sites (such as basecamphq) my internal security device blocks access to the Ajax piece with a 400 Bad Request ( i scoured the net for other ajax examples and no isses anywhere else). I think there is something in the AJAX code of rails that is not implemented correctly. Has

Hello everyone, I hope you are having a good day. However, I am concerned by this: https://isc.sans.edu/diary/SSHD+rootkit+in+the+wild/15229 Has anyone heard yet what the attack vector is, if 5.9 and 6.4 are affected, and if a patch is coming out? Thanks! Gilbert ******************************************************************************* Gilbert Sebenste

I ran chkrootkit and this is what I got. should I worry or is this normal? I'm running 4.8 thanks. Checking `wted'... 3 deletion(s) between Sat Jun 26 18:10:21 2027 and Sun Mar 24 04:27:12 2024 4 deletion(s) between Sun Mar 24 04:27:12 2024 and Sun Mar 24 04:27:12 2024 5 deletion(s) between Sun Mar 24 04:27:12 2024 and Sun Mar 24 04:27:12 2024 1 deletion(s) between Sun Mar 24 04:27:12

Hello; I'm running a FreeBSD 4.10-release-p2 box and both chkrootkit 0.44 & 0.45 report that my /sbin/init file is infected. It appears as though the egrep for "UPX" in the output of "strings" triggers the infected notice. When I copy the init file from an uninfected box to this one chkrootkit continues to report it as infected. Is chkrootkit reading a copy of the

Anyone wanna explain why ClamAV thinks Wine has a rootkit in it? It finds "mountmgr.sys" and "usbd.sys" as "BC.Heuristics.Rootkit.B" This is not altered Wine.. or even used... but it happens just pure straight up compile from source Wine even if its never been ran.... its finding them in the fakedlls folder. I have not tried on Linux, only on Mac OS X, using the

On 19 June 2018 at 19:37, David Vrabel <david.vrabel at nutanix.com> wrote: > It's not clear how this increases security. What threats is this > protecting again? It won't completely protect prevent rootkits, because still rootkits can edit dynamic kernel data structures, but it will limit what rootkits damage to only dynamic data. This way system calls can't be changed, or

If the attacker could get a shell, the attacker could have used this local root exploit to get the necessary privileges to install the rootkit. One reason why there seem to be few RHEL reports is that RHEL5 is not that widely available yet but lots of vulnerable Fedora/Debian installations are available.

Hi, there is a remote (VPS) Centos 4.2 server which *may* have been compromised. Reinstalling everything from scratch isn't a problem, it may even be an occasion to improve a few things, the question is another. There are backups of necessary shell script, ASCII configuration files and more or less important email (maildir format, if it matters) including messages with binary attachments in

On 16.06.2018 13:49, Ahmed Soliman wrote: > Following up on these threads: > - https://marc.info/?l=kvm&m=151929803301378&w=2 > - http://www.openwall.com/lists/kernel-hardening/2018/02/22/18 > > I lost the original emails so I couldn't reply to them, and also sorry > for being late, it was the end of semester exams. > > I was adviced on #qemu and

Hi all, I need to install an anti-rootkid in a lot of servers. I know that there're several options: tripwire, aide, chkrootkit... ?What do you prefer? Obviously, I have to define my needs: - easy setup and configuration - actively developed -- Thanks, Jordi Espasa Clofent

Hi, I have a 4.9-STABLE FreeBSD box apparently hacked! Yesterday I ran chkrootkit-0.41 and I don't like some of the outputs. Those are: chfn ... INFECTED chsh ... INFECTED date ... INFECTED ls ... INFECTED ps ... INFECTED But all the rest is NOT PROMISC, NOT INFECTED, NOTHING FOUND, NOTHING DELETED, or NOTHING DETECTED. I know by the FreeBSD-Security archives that

Hello, I found this lurking around the web, and thought people who are running SSH-1.2.27 might be interested. -- Kevin Sindhu <kevin at tgivan dot com> Systems Engineer TGI Technologies Inc. Tel: (604) 872-6676 Ext 321 107 E 3rd Avenue Fax: (604) 872-6601 Vancouver,BC V5T 1C7 Canada. -------------- next part -------------- Welcome Root Kit SSH distribution v5.0 (by Zelea) This

Shortly after I sent the first email, we found that there is another way to achieve this kind of communication, via KVM Hypercalls, I think they are underutilised in kvm, but they exist. We also found that they are architecture dependent, but the advantage is that one doesn't need to create QEMU<-> kvm interface So from our point of view it is either have things easily compatible with

Following up on these threads: - https://marc.info/?l=kvm&m=151929803301378&w=2 - http://www.openwall.com/lists/kernel-hardening/2018/02/22/18 I lost the original emails so I couldn't reply to them, and also sorry for being late, it was the end of semester exams. I was adviced on #qemu and #kernelnewbies IRCs to ask here as it will help having better insights. To wrap things up, the

Following up on these threads: - https://marc.info/?l=kvm&m=151929803301378&w=2 - http://www.openwall.com/lists/kernel-hardening/2018/02/22/18 I lost the original emails so I couldn't reply to them, and also sorry for being late, it was the end of semester exams. I was adviced on #qemu and #kernelnewbies IRCs to ask here as it will help having better insights. To wrap things up, the

Does anybody know of these samba packages? http://ftp.cvut.cz/samba/samba-latest.tar.gz AFAICS they are faked and contain some kind of rootkit (you can see this in the history below. the server this history is from is taken offline for security reasons, and nobody is there till 7th Jan I can't give you more details) > 144 w > 145 cat /etc/issue > 146 uname -a > 147

Here is change log from V3 To V4: - Fixing spelling/grammar mistakes suggested by Randy Dunlap - Changing the hypercall interface to be able to process multiple pages per one hypercall also suggested by Randy Dunlap. It turns out that this will save lots of vmexist/memory slot flushes when protecting many pages. [PATCH RFC V4 1/3] KVM: X86: Memory ROE documentation [PATCH RFC V4 2/3] KVM:

This is one where there's probably no limit to what you could do. We have a high-security environment and are using Aide and OSSEC. Aide has been good at reporting file system changes and is very granular, the dilemma is what to monitor and what to ignore (keep from being inundated with reports of innocuous changes at the risk of missing something). However, it is not daemon-based so

-=> To moderator: I don't know whether it's wise to release the FTP-location I would recommend everyone to just look over their daemons, and run something like nessus against theirselves... Greetings, Jan-Philip Velders ---------- Forwarded message ---------- Date: Thu, 25 Mar 1999 16:26:59 -0700 From: "Ben Cantrick (Macky Stingray)" <mackys@MACKY.RONIN.NET> To: