There are also other items in a standard rootkit.
You could spend time checking ls, ps, top, sum, yada
yada yada, against your pristine versions on read-only
installation media (after booting into single-user
mode on pristine read-only trusted media (and ONLY
running binaries from said media)), but IMHO your best
bet after a breach/rootkit incident is to take off and
nuke the site from orbit. It's the only way to be sure.
I'm sure there's a HOWTO on cleaning up your system
after a rootkit "upgrade." Check Google.
D
* On Mon, Sep 25, 2000 at 01:23:37PM -0700, Don Harrop wrote:
> Thanks for the responses. I never know about the command "last". Very
> cool. I've already found out most of what I needed. It was some guy over
> in Russia. Those punks! :-) He left some cool utilz on the hard drive
> for me though. A login replacement that logs all usernames and passwords
> and a in.ftpd replacement. That's how he got in in the first place. I
> was running wu-ftpd 2.5.x... I already know there's tons of documented
> exploits with that verison. I've just upgraded to wu-ftpd 2.6 so that
> should slow 'em down a little bit.
>
> Don
>
> On 26 Sep 2000, Bill Warner wrote:
>
> > This information is located in the /etc/shadow file. it is refrenced
> > in the standard unix time thing (seconds sense jan 1 1970) check
> > man shadow for more details
> >
> > Bill Warner
> >
> > > Hey guys.
> > > At login I get a printout of when the last login occured. Where
> > > is that info stored? I want to check out a user on the system but
> > > don't want to log in as them. One of the machines I work with had the
> > > root account compromised. It's just running a few mushes so it's not that
> > > big of deal but I don't want it happening again. I went through it with a
> > > fine tooth comb and wouldn't mind it if any of you guys tried to whack at
> > > it... Lemme know what you find. The IP is 205.216.140.17
> > >
> > > Don