[TriLUG] invisible directories...

Jon Carnes jonc at nc.rr.com
Tue Apr 22 14:39:44 EDT 2003 

If I was going to use the RPM's then I would use my second favorite
trick a hidden partition and rsync.  In that case you could store rpms
or copies of your /etc, /lib, /bin, and /sbin.  Then have three scripts:
 - one to create the files and update the files if necessary,
 - one that you run as a check on your current filesystem
 - one that backs-up your current config (to someplace else) then copies
the stored one over the current config.

HtH - Jon

On Tue, 2003-04-22 at 14:13, Roy Vestal wrote:
> Jon,
>  Using this method of a hidden directories, could you also have valid system rpms of these binaries and libraries and run rpm -Uvh *? I know if a machine is being updated with up2date that a twist in this, but I'm just curious on your idea. Could you expound on what you store here? Offlist reply is ok with me.
> 
> TIA
> 
> On 21 Apr 2003 17:10:04 -0400
> Jon Carnes <jonc at nc.rr.com> wrote:
> 
> > Sounds like the typical root kit.  I'm sure you will also find that "ps"
> > has been taken down, and probably a couple of your libraries.
> > 
> > I'm fond of installing a hidden (unmounted) directory which has copies
> > of all my valid binaries and libraries.  It helps you at times like
> > these.
> > 
> > I also run an intrusion script that checks against certain binaries (all
> > those on your list, plus a few more) and looks for any diffs on a ten
> > minutes basis.  Some root kits will take cron off-line, so the script
> > runs continuously (it just does the binary checks every 10 minutes).
> > 
> > Good Luck - Jon
> > 
> > On Mon, 2003-04-21 at 16:49, Paul D. Boyle wrote:
> > > Jeff Painter wrote:
> > > > I'm not sure of what the vulnerability was, but I did determine which 
> > > > files were replaced.
> > > > 
> > > >  /bin/df
> > > >  /bin/ls
> > > >  /bin/netstat
> > > >  /bin/ping
> > > > 
> > > > I'll keep looking...
> > > 
> > > These look pretty typical for the binaries which get replaced during an
> > > attack.  The best thing to do is to wipe your disk clean (i.e. reformat
> > > it) and reinstall from virgin (i.e. CD-ROM) media.  I assume you have
> > > backups of your /home and other user data or system specific directories.
> > > If not, then pretty much your only option is to hand pick your way through
> > > your system specific directories looking for nasties which may have been
> > > left behind.  Hopefully, you won't miss anything.
> > > 
> > > Good Luck,
> > > 
> > > Paul
> > 
> > _______________________________________________
> > TriLUG mailing list
> >     http://www.trilug.org/mailman/listinfo/trilug
> > TriLUG Organizational FAQ:
> >     http://www.trilug.org/faq/TriLUG-faq.html
> > 
> _______________________________________________
> TriLUG mailing list
>     http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
>     http://www.trilug.org/faq/TriLUG-faq.html

More information about the TriLUG mailing list