I think I've been Rooted.

AZ Pete plug-discuss@lists.plug.phoenix.az.us
Sat, 07 Sep 2002 11:47:23 -0700


Hi All,

I believe some kind of root kit has been installed on a server of mine.  My 
first clue that things were amiss was when I logged in at the console and 
tried to do a simple 'ls' command.  I got a 'permission denied' error.  I 
then switched to the root user and saw that /bin/ls had  permissions of 
rwx------ owner: root, group: root.

I then mounted the original installation cd-rom and checked the byte size 
of the ls command within the RPM file and its file size was different than 
that on the system.  The same was true for the ps command and several other 
system related utils.

I've since taken this machine out of service and transferred the web 
content to another machine.  So, now I can take my time to do some 
postmortem analysis. I'm confident that the web content was not 'infected', 
since they are static pages AND I took them from a known good backup anyway.

I thought this would now be a good opportunity to learn what to do after an 
attack (and to prevent another one).
If anyone can offer tips, pointers, web articles, etc. for the following:

1) How to determine if a root kit has, in fact,  been installed.
2) How to determine the point of entry.
3) How to prevent this in the future.

The server in question was RedHat 6.2.  It a very low volume web, mail 
(SMTP and POP) and FTP server.

Any thoughts/tips/pointers/etc would be greatly appreciated.
Thanks,
Peter