[TriLUG] invisible directories...

Greg Brown gregbrown at mindspring.com
Mon Apr 21 17:23:20 EDT 2003 

I've found the following zsh command helpful to find executable files 
which have changed over the past 24 hours:

#!/bin/zsh
print -l /**/*(*.m-1)

Of course, this assumes that print and zsh have not been messed with.  
I have this command wrapped up in a larger script run daily via cron.  
I suppose I could also check for the checksums of zsh and print before 
starting the script proper.  Guess I'll add that functionality tonight.

Greg

On Monday, April 21, 2003, at 05:10 PM, Jon Carnes wrote:

> Sounds like the typical root kit.  I'm sure you will also find that 
> "ps"
> has been taken down, and probably a couple of your libraries.
>
> I'm fond of installing a hidden (unmounted) directory which has copies
> of all my valid binaries and libraries.  It helps you at times like
> these.
>
> I also run an intrusion script that checks against certain binaries 
> (all
> those on your list, plus a few more) and looks for any diffs on a ten
> minutes basis.  Some root kits will take cron off-line, so the script
> runs continuously (it just does the binary checks every 10 minutes).
>
> Good Luck - Jon
>
> On Mon, 2003-04-21 at 16:49, Paul D. Boyle wrote:
>> Jeff Painter wrote:
>>> I'm not sure of what the vulnerability was, but I did determine which
>>> files were replaced.
>>>
>>>  /bin/df
>>>  /bin/ls
>>>  /bin/netstat
>>>  /bin/ping
>>>
>>> I'll keep looking...
>>
>> These look pretty typical for the binaries which get replaced during 
>> an
>> attack.  The best thing to do is to wipe your disk clean (i.e. 
>> reformat
>> it) and reinstall from virgin (i.e. CD-ROM) media.  I assume you have
>> backups of your /home and other user data or system specific 
>> directories.
>> If not, then pretty much your only option is to hand pick your way 
>> through
>> your system specific directories looking for nasties which may have 
>> been
>> left behind.  Hopefully, you won't miss anything.
>>
>> Good Luck,
>>
>> Paul
>
> _______________________________________________
> TriLUG mailing list
>     http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
>     http://www.trilug.org/faq/TriLUG-faq.html
>

More information about the TriLUG mailing list