I think I've been Rooted.

technomage plug-discuss@lists.plug.phoenix.az.us
Sun, 8 Sep 2002 21:56:59 -0700 

well,
get chkrootkit and install it via a floppy based linux and run it on your
HD. the ltest version can examine logs to see if there are any 
inconsistencies. other things may show up as well.

you might want to also get hold of tom perry (I think he monitors this list) 
and ask him about some traps he's devised to beter secure his system.

otherwise, whatever you do, don't put that box back on the net until you know 
its clean.

Technomage

On Saturday 07 September 2002 11:47 am, you wrote:
> Hi All,
>
> I believe some kind of root kit has been installed on a server of mine.  My
> first clue that things were amiss was when I logged in at the console and
> tried to do a simple 'ls' command.  I got a 'permission denied' error.  I
> then switched to the root user and saw that /bin/ls had  permissions of
> rwx------ owner: root, group: root.
>
> I then mounted the original installation cd-rom and checked the byte size
> of the ls command within the RPM file and its file size was different than
> that on the system.  The same was true for the ps command and several other
> system related utils.
>
> I've since taken this machine out of service and transferred the web
> content to another machine.  So, now I can take my time to do some
> postmortem analysis. I'm confident that the web content was not 'infected',
> since they are static pages AND I took them from a known good backup
> anyway.
>
> I thought this would now be a good opportunity to learn what to do after an
> attack (and to prevent another one).
> If anyone can offer tips, pointers, web articles, etc. for the following:
>
> 1) How to determine if a root kit has, in fact,  been installed.
> 2) How to determine the point of entry.
> 3) How to prevent this in the future.
>
> The server in question was RedHat 6.2.  It a very low volume web, mail
> (SMTP and POP) and FTP server.
>
> Any thoughts/tips/pointers/etc would be greatly appreciated.
> Thanks,
> Peter
>
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

-- 
I will not be pushed, filed, stamped, indexed, briefed, debriefed, or 
numbered!
My life is my own - No. 6