On Wed, Dec 03, 2003 at 10:42:40PM -0500, TeleSIP wrote:
> A good rootkit will also modify the date and time of the replaced binaries
> so they will look the same as the original.
>
> Try to replace your "ps" command with that from a trusted RH9 machine. If
> it works ok then you must do a clean install to get rid of the rootkit.
Using the RPM database for package verification is a good way to check, also (better
than date/time stamp). So:
rpm -V procps
procps is the package for ps and some other commands, "V" = verify the whole package.
This should NOT return ANY error or information. So, if you get something like
"S.5....T c /bin/ps" or ANYTHING else for THIS package youv'e got a problem.
This doesn't 100% work on all rpm pkgs. You often modify config files and they show up
like this:
rpm -V ypbind
S.5....T c /etc/yp.conf
This means that you need to use some judgement. Generally, if you have a binary, it
should not change. Configs will or can change.
You could also look to do:
rpm -qf `which ps` # this should return a like that says procps-{version}. If the
output of this rpm command shows, "file nohup.out is not owned by any package" you are
running (based on your $PATH variable) the wrong ps command. This only works for rpm
installed pkgs, not your normal tar installs. This is just one of the pluses for a pkg
manager (not just rpm).
These are based on the partial belief that the hackers with rootkits aren't
"upgrading" your procps package to there version. Basically, this is just another clue
to look at and should NOT be done in isolation.
For some better options, check out:
http://freshmeat.net
and search for "system integrity" then "Intrusion Detection"
AIDE (Advanced Intrusion Detection Environment) is a standout in this realm (free
replacement for Tripwire).
>
>
> ----- Original Message -----
> From: "Paul Oster" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, December 03, 2003 10:24 PM
> Subject: Re: [Asterisk-Users] Does Asterisk overwrite any libraries?
>
>
> > Looks like your box has been compromised. Try
> >
> > ls -l `which ps`
> >
> > You'll probably find an inapropriate date. Whenever I've diagnosed
> > problems like this, I've found badly installed rootkits.
> >
> > To address this on my production machines, I'm going to insruct the
> > router to only allow traffic that is coming from trusted locations
> > to connect to the box anyplace.
> >
> > I really hope I'm wrong about this Costas, but you should probably start
> > verifying your binaries.
> >
> > If your machine has been compromised, a clean install, and patch with
> > all the updated RPMS is a recommended soloution.
> >
> > Paul
> > costas wrote:
> >
> > >I am using a brand new RH9.0 installation. I installed Asterisk
> afterwards so I am not sure if Asterisk caused the problem below. The ps
> doesn't work. It could also be something else. I also tried installing a
> some video package. But I thought to ask here first if someone has seen this
> before.
> > >
> > >[EMAIL PROTECTED] asterisk]# ps
> > >ps: error while loading shared libraries: libproc.so.2.0.6: cannot open
> shared object file: No such file or directory
> > >
> > >[EMAIL PROTECTED] asterisk]# which ps
> > >/bin/ps
> > >
> > >Thanks
> > >Costas
> > >
> > >--
> > >Costas Menico
> > >Meezon Software Corp
> > >201-224-8111
> > >[EMAIL PROTECTED]
> > >
> > >--
> > >_______________________________________________
> > >Asterisk-Users mailing list
> > >[EMAIL PROTECTED]
> > >http://lists.digium.com/mailman/listinfo/asterisk-users
> > >
> > >
> > >
> > >
> >
> >
> >
> >
> > ____________________________________________________________
> > Free 20MB Web Site Hosting and Personalized E-mail Service!
> > Get It Now At Doteasy.com http://www.doteasy.com/et/
> > _______________________________________________
> > Asterisk-Users mailing list
> > [EMAIL PROTECTED]
> > http://lists.digium.com/mailman/listinfo/asterisk-users
> >
>
>
> _______________________________________________
> Asterisk-Users mailing list
> [EMAIL PROTECTED]
> http://lists.digium.com/mailman/listinfo/asterisk-users
_______________________________________________
Asterisk-Users mailing list
[EMAIL PROTECTED]
http://lists.digium.com/mailman/listinfo/asterisk-users
