March Meeting Presentations

[John (EBo) David]

Bob George wrote:
> 
> "John (EBo) David" <ebo@leml.la.asu.edu> wrote:
> 
> > George Toft wrote:
> > >
> > > Hi John,
> > >
> > > Post a ps and let the group dissect it.
> >
> > Ok... See appended:
> 
>  Output of ps won't mean much if a rootkit has already been installed
> (search on rootkits - i.e.
> http://linux.oreillynet.com/pub/a/linux/2001/12/14/rootkit.html)

I understand.  But since I was asked I thought maybe someone might see
something I didn't.

> Ideally, you'd have tools running up front to detect unauthorized changes.
> There are tools though (i.e. chkrootkit - http://www.chkrootkit.org/) to
> look for signs of compromise even after the fact.

It has been to long since I ran chkrootkit, but...  The only thing that
came up was:

  Searching for suspicious files and dirs, it may take a while...
  /usr/lib/perl5/5.6.0/i386-linux/.packlist

  Searching for LPD Worm files and dirs... nothing found
  ...

it really does appear like a packing list, but has a bunch of files
which end in .3pm which have is about the time I typically notice odd
things going on.  I assume that that is just a cooincidence since there
are files there that end in .tar.gz extention...  Being in the man
directory I assumed that they are man pages, and the .gz being
gnuziped... One such example is:

 /usr/share/man/man3/warnings::register.3pm type=file

I went ahead and tried looking at them and was unable with an of the
tools I expected, so does anyone have a clue what they should be for?  
any Perl GURU's got an idea why they are not readable if they are
documentaiton?

> Running something like aide or tripwire against critical files is a good
> detection measure, but it needs to be set up up front.

My previous install I set up tripwire (had not heard about aide), but
have not taken the time because I have litterally been working 12-20
hr/days trying to finish up at school...

  EBo --