I think I've been Rooted.

Top Page
This message is part of the following thread:
M++\the complete thread tree sorted by date
MMMMJay at <-
technomage at ->
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: George Toft
Date:  
New-Topics: New Kernel Help
Subject: I think I've been Rooted.
Step 1: Make an image of your hard drive before you start messing with
things.

I would reboot using a CD-distro (recovery CD, or knoppix) so you aren't
making any changes to your drive. 


Step 2: Use RPM to see what's changed:
    rpm -Va 
See also http://www.sans.org/newlook/resources/IDFAQ/RPM.htm



As far as the future, compare your current results against my advice
(http://www.georgetoft.com/linux/security/index.html, and
http://www.georgetoft.com/linux/security/locking/checklist.html) and
make the necessary adjustments. If your box was secure per my advice
(or equivalent), please let me know!!! I understand you had a web
server - did you update it recently, or was it a vulnerable version?
What other services did you have?

George


AZ Pete wrote:
>
> Hi All,
>
> I believe some kind of root kit has been installed on a server of mine. My
> first clue that things were amiss was when I logged in at the console and
> tried to do a simple 'ls' command. I got a 'permission denied' error. I
> then switched to the root user and saw that /bin/ls had permissions of
> rwx------ owner: root, group: root.
>
> I then mounted the original installation cd-rom and checked the byte size
> of the ls command within the RPM file and its file size was different than
> that on the system. The same was true for the ps command and several other
> system related utils.
>
> I've since taken this machine out of service and transferred the web
> content to another machine. So, now I can take my time to do some
> postmortem analysis. I'm confident that the web content was not 'infected',
> since they are static pages AND I took them from a known good backup anyway.
>
> I thought this would now be a good opportunity to learn what to do after an
> attack (and to prevent another one).
> If anyone can offer tips, pointers, web articles, etc. for the following:
>
> 1) How to determine if a root kit has, in fact, been installed.
> 2) How to determine the point of entry.
> 3) How to prevent this in the future.
>
> The server in question was RedHat 6.2. It a very low volume web, mail
> (SMTP and POP) and FTP server.
>
> Any thoughts/tips/pointers/etc would be greatly appreciated.
> Thanks,
> Peter
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-I think I've been Rooted.cable modems->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)