Have your friend take a look at chkrootkit http://www.chkrootkit.org/ This is a utility that will detect a fair number of Linux rootkits.
There are also many links on the page discussing rootkits, finding them ,etc. Once a machine is compromised, the only sure way of removing the problem is to wipe the disks completely and start from scratch - this is the recommended course of action. If possible, one should try and determine how the machine was compromised in the first place and ensure that when reinstalling, all the latest patches and updates are applied correctly. Another option is to remove the hard drive from the suspect machine and mount it in another Linux machine to check it's contents and do further forensic analysis. There are also tools available to do this. Martin On August 12, 2003 12:31 pm, Dave Wilson wrote: > I have a friend, here is what he sent me: > > - The box is cracked. A whole raft of functions in /usr/bin and /usr/sbin > were replaced with newer/older versions. The reason I say it that way is > that the file stamps are newer but, the reported version numbers are > older. > - The NIC is in PROMISC mode. If you run ifconfig and look at the NIC > flags 'PROMISC' appears there. When I turn it off it is only a matter of > moments before it is back on. This is another clue that I'm cracked. > - When I run tcpdump the amount of traffic is staggering!! In fact, I > thought I might win if I closed things down a bit...and subsequently > closed the door on myself. I'm sure that noone is using the box at the > moment. :-) > - I went out and grabbed real versions of all of the RPMs for the tools > that were replaced. I forced those to install overtop of the cracked > ones. That worked...until some process re-copied the bogus ones on top > again. > > > Any suggestions (other than turn the machine of and repave the system)? > > I'm trying to help him find the source of the problem. In trying to limit > net access to the machine, he ended up locking himself out til he gets > home from work. > > in order to figure out what processes are running, and which one might be > causing the mayhem, I basically suggested he try this: > > more /proc/*/cmdline > > which should list the processes running better than a cracked `ps`. > > any help is much appreciated. > > Dave
