[TriLUG] invisible directories...
Jon Carnes
jonc at nc.rr.com
Mon Apr 21 17:10:04 EDT 2003
Sounds like the typical root kit. I'm sure you will also find that "ps"
has been taken down, and probably a couple of your libraries.
I'm fond of installing a hidden (unmounted) directory which has copies
of all my valid binaries and libraries. It helps you at times like
these.
I also run an intrusion script that checks against certain binaries (all
those on your list, plus a few more) and looks for any diffs on a ten
minutes basis. Some root kits will take cron off-line, so the script
runs continuously (it just does the binary checks every 10 minutes).
Good Luck - Jon
On Mon, 2003-04-21 at 16:49, Paul D. Boyle wrote:
> Jeff Painter wrote:
> > I'm not sure of what the vulnerability was, but I did determine which
> > files were replaced.
> >
> > /bin/df
> > /bin/ls
> > /bin/netstat
> > /bin/ping
> >
> > I'll keep looking...
>
> These look pretty typical for the binaries which get replaced during an
> attack. The best thing to do is to wipe your disk clean (i.e. reformat
> it) and reinstall from virgin (i.e. CD-ROM) media. I assume you have
> backups of your /home and other user data or system specific directories.
> If not, then pretty much your only option is to hand pick your way through
> your system specific directories looking for nasties which may have been
> left behind. Hopefully, you won't miss anything.
>
> Good Luck,
>
> Paul
More information about the TriLUG
mailing list