I think I've been Rooted.
AZ Pete
plug-discuss@lists.plug.phoenix.az.us
Sat, 07 Sep 2002 11:47:23 -0700
Hi All,
I believe some kind of root kit has been installed on a server of mine. My
first clue that things were amiss was when I logged in at the console and
tried to do a simple 'ls' command. I got a 'permission denied' error. I
then switched to the root user and saw that /bin/ls had permissions of
rwx------ owner: root, group: root.
I then mounted the original installation cd-rom and checked the byte size
of the ls command within the RPM file and its file size was different than
that on the system. The same was true for the ps command and several other
system related utils.
I've since taken this machine out of service and transferred the web
content to another machine. So, now I can take my time to do some
postmortem analysis. I'm confident that the web content was not 'infected',
since they are static pages AND I took them from a known good backup anyway.
I thought this would now be a good opportunity to learn what to do after an
attack (and to prevent another one).
If anyone can offer tips, pointers, web articles, etc. for the following:
1) How to determine if a root kit has, in fact, been installed.
2) How to determine the point of entry.
3) How to prevent this in the future.
The server in question was RedHat 6.2. It a very low volume web, mail
(SMTP and POP) and FTP server.
Any thoughts/tips/pointers/etc would be greatly appreciated.
Thanks,
Peter