[TriLUG] invisible directories...

Jeremy Portzer jeremyp at pobox.com
Mon Apr 21 16:27:12 EDT 2003


On Mon, 2003-04-21 at 16:16, Jeffery Painter wrote:
> Well, it appears my /bin/ls is not the same as on another host... this 
> looks to be the only major binary I can find... also to note, vsftp 
> service had stopped accepting connections... I did not see any errata on 
> vsftp for redhat 8...
> 
> I reinstalled vsftp from rpm's and it is working again... having a little 
> more trouble replacing the trojan ls with a clean copy... will probably 
> just reinstall and get my data off of there! :)
> 

Reinstalling is definitely your safest option.  You could also try
rebooting with a CD in rescue mode, and then running the following
command to determine what files have been messed with:
	rpm -Va --root /mnt/sysimage
(you probably want to redirect output to "less" or a file)

Running from a rescue CD will ensure that you have a valid rpm binary,
but it won't help if the RPM database itself has been messed with. 
Also, the attacker could have installed numerous files in other places
not covered by the rpm database (like the "backup" directory that it
seems to be trying to hide).

--Jeremy




More information about the TriLUG mailing list