Happy New Rootkit
I'm back from holidays, and had intended to write about all the interesting diving I had managed to get done.
Unfortunately, the machine of one of our clients was compromised this afternoon, so instead I'm currently in the process of cleaning things up. I know how the attackers got in, and I have clean backups that verify without an issue. The main thing now is gaining physical access to the machine and the dull dull task of cleaning the disks and initiating a restore. There's reason to believe that the kernel has been modified by a direct write to /dev/kmem, so nothing the machine tells me can possibly be trusted.
This particular compromise falls into the "What? I didn't know we had that installed (outside of the packaging system)" category.
