UConn Finds Rootkit in Hacked Server
“The rootkit was first placed on the server during a system compromise on October 26, 2003, but was only detected one week ago, on July 20.
UConn said the attack took advantage of an insecure service for which no vendor patch was available, but stressed that an analysis of the computer showed that that the original compromise was incomplete.“
A couple of things to keep in mind here. First, because the original compromise was incomplete, it most likely means that the rootkit was dropped by some worm exploiting a known weakness, but for some reason failed to fully deploy. In all likelihood, the ‘kit never “called home” so the attacker(s) never accessed the machine. Second, this stresses the need for constant vigilence. The 18 month gap between the intrusion and detection was most likely because the ‘kit was dormant and not giving off any signels of its presence. On the other hand, a sysadmin should know if, in less than 18 months, that there was an unauthorized access to the box.
So, remember folks: keep the firewalls up and limit remote acces to servers.