I think I've been Rooted.

Top Page
This message is part of the following thread:
M++\the complete thread tree sorted by date
MMMM 
plug-discuss@lists.plug.phoenix.az.us at ->
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: AZ Pete
Date:  
Subject: I think I've been Rooted.
Hi All,

I believe some kind of root kit has been installed on a server of mine. My
first clue that things were amiss was when I logged in at the console and
tried to do a simple 'ls' command. I got a 'permission denied' error. I
then switched to the root user and saw that /bin/ls had permissions of
rwx------ owner: root, group: root.

I then mounted the original installation cd-rom and checked the byte size
of the ls command within the RPM file and its file size was different than
that on the system. The same was true for the ps command and several other
system related utils.

I've since taken this machine out of service and transferred the web
content to another machine. So, now I can take my time to do some
postmortem analysis. I'm confident that the web content was not 'infected',
since they are static pages AND I took them from a known good backup anyway.

I thought this would now be a good opportunity to learn what to do after an
attack (and to prevent another one).
If anyone can offer tips, pointers, web articles, etc. for the following:

1) How to determine if a root kit has, in fact, been installed.
2) How to determine the point of entry.
3) How to prevent this in the future.

The server in question was RedHat 6.2. It a very low volume web, mail
(SMTP and POP) and FTP server.

Any thoughts/tips/pointers/etc would be greatly appreciated.
Thanks,
Peter



This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-installfest wireless access?installfest wireless access?->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)