[TriLUG] invisible directories...

Roy Vestal rvestal at trilug.org
Tue Apr 22 14:13:14 EDT 2003 

Jon,
 Using this method of a hidden directories, could you also have valid system rpms of these binaries and libraries and run rpm -Uvh *? I know if a machine is being updated with up2date that a twist in this, but I'm just curious on your idea. Could you expound on what you store here? Offlist reply is ok with me.

TIA

On 21 Apr 2003 17:10:04 -0400
Jon Carnes <jonc at nc.rr.com> wrote:

> Sounds like the typical root kit.  I'm sure you will also find that "ps"
> has been taken down, and probably a couple of your libraries.
> 
> I'm fond of installing a hidden (unmounted) directory which has copies
> of all my valid binaries and libraries.  It helps you at times like
> these.
> 
> I also run an intrusion script that checks against certain binaries (all
> those on your list, plus a few more) and looks for any diffs on a ten
> minutes basis.  Some root kits will take cron off-line, so the script
> runs continuously (it just does the binary checks every 10 minutes).
> 
> Good Luck - Jon
> 
> On Mon, 2003-04-21 at 16:49, Paul D. Boyle wrote:
> > Jeff Painter wrote:
> > > I'm not sure of what the vulnerability was, but I did determine which 
> > > files were replaced.
> > > 
> > >  /bin/df
> > >  /bin/ls
> > >  /bin/netstat
> > >  /bin/ping
> > > 
> > > I'll keep looking...
> > 
> > These look pretty typical for the binaries which get replaced during an
> > attack.  The best thing to do is to wipe your disk clean (i.e. reformat
> > it) and reinstall from virgin (i.e. CD-ROM) media.  I assume you have
> > backups of your /home and other user data or system specific directories.
> > If not, then pretty much your only option is to hand pick your way through
> > your system specific directories looking for nasties which may have been
> > left behind.  Hopefully, you won't miss anything.
> > 
> > Good Luck,
> > 
> > Paul
> 
> _______________________________________________
> TriLUG mailing list
>     http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
>     http://www.trilug.org/faq/TriLUG-faq.html
>

More information about the TriLUG mailing list