Box Cracked ( Was: thank's )

John Summerfield debian at herakles.homelinux.org
Sat Oct 20 23:52:20 UTC 2007 

bob.smith at kolumbus.fi wrote:
> Manuel Arostegui Ramirez <manuel at todo-linux.com> kirjoitti:
>> El Sábado, 20 de Octubre de 2007 16:37, Les Mikesell escribió:
>> >
>> > Note that if the box has been cracked with a typical rootkit, the
>> > netstat program (and ps, ls, etc.) will have been replaced with 
>> versions
>> >   that don't show what is really going on.
>> >
>>
>> Absolutely.
>> The thing is that the original poster have not provided any 
>> information or any thought that lead him to think he has been hacked, 
>> so we're just guessing...
>>
>> I just think he don't have any idea about what's going on on his 
>> system, so we don't know if he already ran rkhunter or similar to find 
>> out if there's any well-known rootkit installed...
>>
>> Let's wait...
>>
>> All the best
>> Manuel
>>
>> -- 
>> Manuel Arostegui Ramirez.
>>
>> Electronic Mail is not secure, may not be read every day, and should not
>> be used for urgent or sensitive issues.
>>
> 
> Attached tmp directory ls -lR, anything unnormal to your eyes there?

If you think you've been rooted, assume it's been done properly*, and do 
your forensics from RO media.

I think insert linux is a forensic kit, look at distrowatch for it: with 
a name like that, google's probably not going to help.

At a pinch you can boot the rescue disk and "DO NOI" chroot to the 
system. Use find to look for strange binaries in strange places, run 
"rpm -Va" to check for replaced binaries (I don't suppose a negative 
finding is entirely trustworthy) and "rpm -qa --last" to see what's 
installed recently.


Also, look at all users' .bash_history; I have seen careless intruders 
leave evidence there.

You could also compare the sizes of ls, find, ps with the sizes of 
known-good ones; it's highly likely an intruder would replace those 
binaries, and some others.




* "Properly" means find, ls, ps, lsof, netstat are all altered to hide 
the fact you-re 0wned.


-- 

Cheers
John

-- spambait
1aaaaaaa at coco.merseine.nu  Z1aaaaaaa at coco.merseine.nu

Please do not reply off-list

More information about the users mailing list