[TriLUG] invisible directories...
Turnpike Man
turnpike420 at yahoo.com
Mon Apr 21 22:55:39 EDT 2003
Reading all this is kinda disturbing. I hate seeing this kind of crap going
on. Are there ways he could have prevented this, besides never plugging in to
a network? Was his FTP the most probable point of entry? If you find out how
they did it, I'd love to know, thanks and good luck jeff.
David M.
--- Greg Brown wrote:
> I've found the following zsh command helpful to find executable files
> which have changed over the past 24 hours:
>
> #!/bin/zsh
> print -l /**/*(*.m-1)
>
> Of course, this assumes that print and zsh have not been messed with.
> I have this command wrapped up in a larger script run daily via cron.
> I suppose I could also check for the checksums of zsh and print before
> starting the script proper. Guess I'll add that functionality tonight.
>
> Greg
>
> On Monday, April 21, 2003, at 05:10 PM, Jon Carnes wrote:
>
> > Sounds like the typical root kit. I'm sure you will also find that
> > "ps"
> > has been taken down, and probably a couple of your libraries.
> >
> > I'm fond of installing a hidden (unmounted) directory which has copies
> > of all my valid binaries and libraries. It helps you at times like
> > these.
> >
> > I also run an intrusion script that checks against certain binaries
> > (all
> > those on your list, plus a few more) and looks for any diffs on a ten
> > minutes basis. Some root kits will take cron off-line, so the script
> > runs continuously (it just does the binary checks every 10 minutes).
> >
> > Good Luck - Jon
> >
> > On Mon, 2003-04-21 at 16:49, Paul D. Boyle wrote:
> >> Jeff Painter wrote:
> >>> I'm not sure of what the vulnerability was, but I did determine which
> >>> files were replaced.
> >>>
> >>> /bin/df
> >>> /bin/ls
> >>> /bin/netstat
> >>> /bin/ping
> >>>
> >>> I'll keep looking...
> >>
> >> These look pretty typical for the binaries which get replaced during
> >> an
> >> attack.
__________________________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo
http://search.yahoo.com
More information about the TriLUG
mailing list