I second David's advice to use 'ckrootkit' - it's not perfect, but will
certainly save you many hours of grunt work. In the end, I'm sure you
realize that you're going to have to completely wipe the machine and
re-install everything from scratch. That's the only sure-fire way to know
there are no trojans left around.
I'm really glad your message mentioned the need to take PROACTIVE steps to
be sure this doesn't happen again. Of course, hind-sight is always 20/20.
<Shameless Plug> To help analyze your system after the reinstall (and your
other systems that have not (YET) been rooted), you should perform a
remote penetration test and vulnerability analysis. Support a fellow PLUG
member and local AZ business and use Edgeos to do this. It is only $10 per
machine and the service is completely remote and automated (no sales
people, nothing to download or install). Just go to the Edgeos web site,
enter your IP address(es), and you get a report in just a few hours. The
site is at:
http://www.edgeos.com
</Shameless Plug>
:)
~Jay
On Sat, 7 Sep 2002, AZ Pete wrote:
> Hi All,
>
> I believe some kind of root kit has been installed on a server of mine. My
> first clue that things were amiss was when I logged in at the console and
> tried to do a simple 'ls' command. I got a 'permission denied' error. I
> then switched to the root user and saw that /bin/ls had permissions of
> rwx------ owner: root, group: root.
>
> I then mounted the original installation cd-rom and checked the byte size
> of the ls command within the RPM file and its file size was different than
> that on the system. The same was true for the ps command and several other
> system related utils.
>
> I've since taken this machine out of service and transferred the web
> content to another machine. So, now I can take my time to do some
> postmortem analysis. I'm confident that the web content was not 'infected',
> since they are static pages AND I took them from a known good backup anyway.
>
> I thought this would now be a good opportunity to learn what to do after an
> attack (and to prevent another one).
> If anyone can offer tips, pointers, web articles, etc. for the following:
>
> 1) How to determine if a root kit has, in fact, been installed.
> 2) How to determine the point of entry.
> 3) How to prevent this in the future.
>
> The server in question was RedHat 6.2. It a very low volume web, mail
> (SMTP and POP) and FTP server.
>
> Any thoughts/tips/pointers/etc would be greatly appreciated.
> Thanks,
> Peter
>
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
--
~Jay