I think I've been Rooted.

George Toft plug-discuss@lists.plug.phoenix.az.us
Sat, 07 Sep 2002 17:51:14 -0400 

Step 1: Make an image of your hard drive before you start messing with
things.

I would reboot using a CD-distro (recovery CD, or knoppix) so you aren't
making any changes to your drive.


Step 2: Use RPM to see what's changed:
	rpm -Va 
See also http://www.sans.org/newlook/resources/IDFAQ/RPM.htm


As far as the future, compare your current results against my advice
(http://www.georgetoft.com/linux/security/index.html, and
http://www.georgetoft.com/linux/security/locking/checklist.html) and
make the necessary adjustments.  If your box was secure per my advice
(or equivalent), please let me know!!!  I understand you had a web
server - did you update it recently, or was it a vulnerable version? 
What other services did you have? 

George


AZ Pete wrote:
> 
> Hi All,
> 
> I believe some kind of root kit has been installed on a server of mine.  My
> first clue that things were amiss was when I logged in at the console and
> tried to do a simple 'ls' command.  I got a 'permission denied' error.  I
> then switched to the root user and saw that /bin/ls had  permissions of
> rwx------ owner: root, group: root.
> 
> I then mounted the original installation cd-rom and checked the byte size
> of the ls command within the RPM file and its file size was different than
> that on the system.  The same was true for the ps command and several other
> system related utils.
> 
> I've since taken this machine out of service and transferred the web
> content to another machine.  So, now I can take my time to do some
> postmortem analysis. I'm confident that the web content was not 'infected',
> since they are static pages AND I took them from a known good backup anyway.
> 
> I thought this would now be a good opportunity to learn what to do after an
> attack (and to prevent another one).
> If anyone can offer tips, pointers, web articles, etc. for the following:
> 
> 1) How to determine if a root kit has, in fact,  been installed.
> 2) How to determine the point of entry.
> 3) How to prevent this in the future.
> 
> The server in question was RedHat 6.2.  It a very low volume web, mail
> (SMTP and POP) and FTP server.
> 
> Any thoughts/tips/pointers/etc would be greatly appreciated.
> Thanks,
> Peter
> 
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss