Re: Box Cracked ( Was: thank's )

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



bob.smith@xxxxxxxxxxx wrote:
Manuel Arostegui Ramirez <manuel@xxxxxxxxxxxxxx> kirjoitti:
El Sábado, 20 de Octubre de 2007 16:37, Les Mikesell escribió:
>
> Note that if the box has been cracked with a typical rootkit, the
> netstat program (and ps, ls, etc.) will have been replaced with versions
>   that don't show what is really going on.
>

Absolutely.
The thing is that the original poster have not provided any information or any thought that lead him to think he has been hacked, so we're just guessing...

I just think he don't have any idea about what's going on on his system, so we don't know if he already ran rkhunter or similar to find out if there's any well-known rootkit installed...

Let's wait...

All the best
Manuel

--
Manuel Arostegui Ramirez.

Electronic Mail is not secure, may not be read every day, and should not
be used for urgent or sensitive issues.


Attached tmp directory ls -lR, anything unnormal to your eyes there?

If you think you've been rooted, assume it's been done properly*, and do your forensics from RO media.

I think insert linux is a forensic kit, look at distrowatch for it: with a name like that, google's probably not going to help.

At a pinch you can boot the rescue disk and "DO NOI" chroot to the system. Use find to look for strange binaries in strange places, run "rpm -Va" to check for replaced binaries (I don't suppose a negative finding is entirely trustworthy) and "rpm -qa --last" to see what's installed recently.


Also, look at all users' .bash_history; I have seen careless intruders leave evidence there.

You could also compare the sizes of ls, find, ps with the sizes of known-good ones; it's highly likely an intruder would replace those binaries, and some others.




* "Properly" means find, ls, ps, lsof, netstat are all altered to hide the fact you-re 0wned.


--

Cheers
John

-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxx  Z1aaaaaaa@xxxxxxxxxxxxxxxx

Please do not reply off-list


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux