I think I've been Rooted.

plug-discuss@lists.plug.phoenix.az.us plug-discuss@lists.plug.phoenix.az.us
Sat, 7 Sep 2002 12:17:52 -0500 (CDT) 

On Sat, 7 Sep 2002, AZ Pete wrote:


get chkrootkit.  it will do alot of the grunt work for you (at least to 
some extent).  

David


> Hi All,
> 
> I believe some kind of root kit has been installed on a server of mine.  My 
> first clue that things were amiss was when I logged in at the console and 
> tried to do a simple 'ls' command.  I got a 'permission denied' error.  I 
> then switched to the root user and saw that /bin/ls had  permissions of 
> rwx------ owner: root, group: root.
> 
> I then mounted the original installation cd-rom and checked the byte size 
> of the ls command within the RPM file and its file size was different than 
> that on the system.  The same was true for the ps command and several other 
> system related utils.
> 
> I've since taken this machine out of service and transferred the web 
> content to another machine.  So, now I can take my time to do some 
> postmortem analysis. I'm confident that the web content was not 'infected', 
> since they are static pages AND I took them from a known good backup anyway.
> 
> I thought this would now be a good opportunity to learn what to do after an 
> attack (and to prevent another one).
> If anyone can offer tips, pointers, web articles, etc. for the following:
> 
> 1) How to determine if a root kit has, in fact,  been installed.
> 2) How to determine the point of entry.
> 3) How to prevent this in the future.
> 
> The server in question was RedHat 6.2.  It a very low volume web, mail 
> (SMTP and POP) and FTP server.
> 
> Any thoughts/tips/pointers/etc would be greatly appreciated.
> Thanks,
> Peter
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> 

-- 
"I find your lack of faith disturbing."
--Darth Vader
---
 12:15pm  up 8 days,  2:35,  1 user,  load average: 0.00, 0.00, 0.00