On Sat, 7 Sep 2002, AZ Pete wrote:
get chkrootkit. it will do alot of the grunt work for you (at least to
some extent).
David
> Hi All,
>
> I believe some kind of root kit has been installed on a server of mine. My
> first clue that things were amiss was when I logged in at the console and
> tried to do a simple 'ls' command. I got a 'permission denied' error. I
> then switched to the root user and saw that /bin/ls had permissions of
> rwx------ owner: root, group: root.
>
> I then mounted the original installation cd-rom and checked the byte size
> of the ls command within the RPM file and its file size was different than
> that on the system. The same was true for the ps command and several other
> system related utils.
>
> I've since taken this machine out of service and transferred the web
> content to another machine. So, now I can take my time to do some
> postmortem analysis. I'm confident that the web content was not 'infected',
> since they are static pages AND I took them from a known good backup anyway.
>
> I thought this would now be a good opportunity to learn what to do after an
> attack (and to prevent another one).
> If anyone can offer tips, pointers, web articles, etc. for the following:
>
> 1) How to determine if a root kit has, in fact, been installed.
> 2) How to determine the point of entry.
> 3) How to prevent this in the future.
>
> The server in question was RedHat 6.2. It a very low volume web, mail
> (SMTP and POP) and FTP server.
>
> Any thoughts/tips/pointers/etc would be greatly appreciated.
> Thanks,
> Peter
>
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
--
"I find your lack of faith disturbing."
--Darth Vader
---
12:15pm up 8 days, 2:35, 1 user, load average: 0.00, 0.00, 0.00
(text/plain)