Re: Box Cracked ( Was: thank's )

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



[email protected] wrote:
Manuel Arostegui Ramirez <[email protected]> kirjoitti:
El Sábado, 20 de Octubre de 2007 16:37, Les Mikesell escribió:
>
> Note that if the box has been cracked with a typical rootkit, the
> netstat program (and ps, ls, etc.) will have been replaced with versions
>   that don't show what is really going on.
>

Absolutely.
The thing is that the original poster have not provided any information or any thought that lead him to think he has been hacked, so we're just guessing...
I just think he don't have any idea about what's going on on his
system, so we don't know if he already ran rkhunter or similar to find
out if there's any well-known rootkit installed...
Let's wait...

All the best
Manuel

--
Manuel Arostegui Ramirez.

Electronic Mail is not secure, may not be read every day, and should not
be used for urgent or sensitive issues.

Attached tmp directory ls -lR, anything unnormal to your eyes there?
If you think you've been rooted, assume it's been done properly*, and do
your forensics from RO media.
I think insert linux is a forensic kit, look at distrowatch for it: with
a name like that, google's probably not going to help.
At a pinch you can boot the rescue disk and "DO NOI" chroot to the
system. Use find to look for strange binaries in strange places, run
"rpm -Va" to check for replaced binaries (I don't suppose a negative
finding is entirely trustworthy) and "rpm -qa --last" to see what's
installed recently.

Also, look at all users' .bash_history; I have seen careless intruders leave evidence there.
You could also compare the sizes of ls, find, ps with the sizes of
known-good ones; it's highly likely an intruder would replace those
binaries, and some others.



* "Properly" means find, ls, ps, lsof, netstat are all altered to hide the fact you-re 0wned.

--

Cheers
John

-- spambait
[email protected]  [email protected]

Please do not reply off-list


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux