[TriLUG] invisible directories...
Paul D. Boyle
boyle at laue.chem.ncsu.edu
Mon Apr 21 16:49:28 EDT 2003
Jeff Painter wrote:
> I'm not sure of what the vulnerability was, but I did determine which
> files were replaced.
>
> /bin/df
> /bin/ls
> /bin/netstat
> /bin/ping
>
> I'll keep looking...
These look pretty typical for the binaries which get replaced during an
attack. The best thing to do is to wipe your disk clean (i.e. reformat
it) and reinstall from virgin (i.e. CD-ROM) media. I assume you have
backups of your /home and other user data or system specific directories.
If not, then pretty much your only option is to hand pick your way through
your system specific directories looking for nasties which may have been
left behind. Hopefully, you won't miss anything.
Good Luck,
Paul
--
Paul D. Boyle | boyle at laue.chem.ncsu.edu
Director, X-ray Structural Facility | phone: (919) 515-7362
Department of Chemistry - Box 8204 | FAX: (919) 515-5079
North Carolina State University | http://www.xray.ncsu.edu
Raleigh, NC, 27695-8204
More information about the TriLUG
mailing list