Tuesday, November 17, 2009

The SHV5 rootkit

I found out yesterday evening that my home server was cracked. This is an old desktop which runs in a cupboard in my house, and it contains no sensitive data whatsoever. Maybe that's why i've been slacking on security: I hadn't done updates for some time until i tried a dist-upgrade to Debian Lenny, mainly for fun. I had noticed some funny behaviour before, but thought nothing of it.

While dist-upgrading, i found out that the SHV5 rootkit had been installed. I found more information on this here: http://blog.gnist.org/article.php?story=hollidaycracking Still it seems they must have gained root access in order to install the rootkit, and how that happened worries me.

I thought i was secured, having at some point installed DenyHosts, having disallowed ssh root access, etcetera. Maybe the rootkit was installed before that.

No comments: