Server hacked, Desperate for help with FC6

[me at mattgillen.net (Matthew Gillen)]

Bill Horne wrote:
> David Kramer wrote:
>> Bill Horne wrote:
>>> Grant M. wrote:
>>>> [snip]
>>>> The Ubuntu Enterprise server we're using was compromised on a
>>>> non-priviledged account once, but there isn't anything installed that
>>>> the user could use, so no worries. 
>>> [snip]
>>>
>>> While we're on the subject, how did you find out?
>>
>> The first symptom was I was having problems with MySQL, which
>> eventually led to my website not working.
>>
>> In the end, the point of origin was almost definitely an exploit in
>> Zimbra, which is a web-based collaboration tool I installed to check
>> out, but never used.  I found all sorts of subtle hints, like a new
>> zimbra user, which ended up in the /etc/sudoers file, and it was in
>> the uucp group and the wheel group.
>>
>> The attack appears to have happened about three days after I installed
>> Zimbra, too.
> 
> Has anyone used a fingerprint verification scheme to check for hacks?
> Would it have caught this?

You mean like tripwire?  That wouldn't have necessarily detected anything,
unless a root-kit was installed in such a way as to replace system binaries.
But I doubt they'd bother with that unless the attacker was looking for
something very specific (ie they have a user targeted and want his password,
so they replace the 'login' program).  Typical script kiddies just want to
install an irc-bot or spam-server, and won't mess with the rest of the
system once they have root access.

Now something like 'chkrootkit' or rootkit hunter (http://www.rootkit.nl/)
may have a better chance.

Of course, my musings may be complete baloney...so take them for what
they're worth.

Matt

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.