Bob George wrote:
>
> "John (EBo) David" <ebo@leml.la.asu.edu> wrote:
>
> > George Toft wrote:
> > >
> > > Hi John,
> > >
> > > Post a ps and let the group dissect it.
> >
> > Ok... See appended:
>
> Output of ps won't mean much if a rootkit has already been installed
> (search on rootkits - i.e.
> http://linux.oreillynet.com/pub/a/linux/2001/12/14/rootkit.html)
I understand. But since I was asked I thought maybe someone might see
something I didn't.
> Ideally, you'd have tools running up front to detect unauthorized changes.
> There are tools though (i.e. chkrootkit - http://www.chkrootkit.org/) to
> look for signs of compromise even after the fact.
It has been to long since I ran chkrootkit, but... The only thing that
came up was:
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.6.0/i386-linux/.packlist
Searching for LPD Worm files and dirs... nothing found
...
it really does appear like a packing list, but has a bunch of files
which end in .3pm which have is about the time I typically notice odd
things going on. I assume that that is just a cooincidence since there
are files there that end in .tar.gz extention... Being in the man
directory I assumed that they are man pages, and the .gz being
gnuziped... One such example is:
/usr/share/man/man3/warnings::register.3pm type=file
I went ahead and tried looking at them and was unable with an of the
tools I expected, so does anyone have a clue what they should be for?
any Perl GURU's got an idea why they are not readable if they are
documentaiton?
> Running something like aide or tripwire against critical files is a good
> detection measure, but it needs to be set up up front.
My previous install I set up tripwire (had not heard about aide), but
have not taken the time because I have litterally been working 12-20
hr/days trying to finish up at school...
EBo --