On 2009-08-08, pk <pete...@coolmail.se> wrote: > Grant Edwards wrote: > >> That's what I thought back when I was using dialup on a Linux >> box that didn't have any servers running. Then one day I got >> root-kitted. > > This may be off-topic but I'm curious about the details. Can you please > elaborate?
Well, it was probably about 9 years ago, but here's the way I remember it: It started when I noticed the modem's RX/TX lights were flashing when there was no reason for them to be doing so (I was in the habit of keeping an eye on them to make sure the connection was working OK). When I did a netstat, it showed active network connections that shouldn't have been there, but ps didn't show the processes that netstat said had connections open. The "ps" binary had been replaced with a hacked version. IIRC, so had the "lsof" binary because it didn't show the processes that had the connections open either. I was running an RPM-based installation at the time (RH 6 or 7 I believe), and and an rpm "verify" command failed for a handful of system related binaries (among them ps and lsof): they weren't the same files that rpm had installed. The /proc filesystem was still complete, so I was able to track down the suspect processes and find out what binaries they were running. The binaries were very oddly named files in very strange places. A web search for their names told me that they were part of a rootkit that was used to remotely exploit Linux machines. I shut down the machine, rebooted from a liveCD, backed up some user files, and did a clean install -- after which I signed up for DSL and a Cicso 675 modem/router. It was a very sobering experience... -- Grant
