bob.smith@xxxxxxxxxxx wrote:
Manuel Arostegui Ramirez <manuel@xxxxxxxxxxxxxx> kirjoitti:
El Sábado, 20 de Octubre de 2007 16:37, Les Mikesell escribió:
>
> Note that if the box has been cracked with a typical rootkit, the
> netstat program (and ps, ls, etc.) will have been replaced with
versions
> that don't show what is really going on.
>
Absolutely.
The thing is that the original poster have not provided any
information or any thought that lead him to think he has been hacked,
so we're just guessing...
I just think he don't have any idea about what's going on on his
system, so we don't know if he already ran rkhunter or similar to find
out if there's any well-known rootkit installed...
Let's wait...
All the best
Manuel
--
Manuel Arostegui Ramirez.
Electronic Mail is not secure, may not be read every day, and should not
be used for urgent or sensitive issues.
Attached tmp directory ls -lR, anything unnormal to your eyes there?
If you think you've been rooted, assume it's been done properly*, and do
your forensics from RO media.
I think insert linux is a forensic kit, look at distrowatch for it: with
a name like that, google's probably not going to help.
At a pinch you can boot the rescue disk and "DO NOI" chroot to the
system. Use find to look for strange binaries in strange places, run
"rpm -Va" to check for replaced binaries (I don't suppose a negative
finding is entirely trustworthy) and "rpm -qa --last" to see what's
installed recently.
Also, look at all users' .bash_history; I have seen careless intruders
leave evidence there.
You could also compare the sizes of ls, find, ps with the sizes of
known-good ones; it's highly likely an intruder would replace those
binaries, and some others.
* "Properly" means find, ls, ps, lsof, netstat are all altered to hide
the fact you-re 0wned.
--
Cheers
John
-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxx Z1aaaaaaa@xxxxxxxxxxxxxxxx
Please do not reply off-list