On Wednesday 09 August 2006 15:28, Phill Coxon wrote: > On Wed, 2006-08-09 at 14:33 +1200, Nick Rout wrote: > > On Wed, 09 Aug 2006 13:17:11 +1200 > > > > Phill Coxon wrote: > > > I have a client with a dedicated server where a very important > > > configuration file keeps disappearing for no explainable reason. > > > > At any particular time or just randomly? > > Random. > > > First place to check might be crontab I suppose. > > Nothing in there. > > > Ugly problem though. > > Yup. First step is ensure the file gets replaced so the system keeps > working. The script will notify us when it finds the file deleted, so > the timings may help us track something down.
So, either there is a trojan running all the time, or an existing daemon has been tampered with, or something is being triggered out of [x]inetd, or perhaps an existing command has been trojanned... Unfortunately the list is endless. Is it possible to re-build a clean system, take a Tripwire-like database off it and then transfer the data to it? imho, that will probably be quicker than trying to find the culprit on the live system. Take a tripwire snapshot of the corpse and compare against the known good one. Then apply forensic tools to the corpse. You might find "The Coroner's Toolkit" by Dan Farmer and Wietse Venema, and derivative kits useful. http://www.porcupine.org/forensics/tct.html http://www.e-fense.com/helix/ for example, used by FBI. I would try to get the compromised server off line as soon as possible, because you have no idea what else it might do once it realises that you are 'on to it'. -- CS
