On 4/12/07, Ryan Simpkins <[EMAIL PROTECTED]> wrote:
Sorry for the self reply - but I forgot something.
ALWAYS find out how they got in BEFORE you stop processes, wipe the system, and
restore your backup. You'll just get compromised again. Use lsof, and
/proc/<pid of
offending process>/env to look for clues regarding how they got in. You can
also try
sending rootkit daemons SIGSTOP to freeze the process while you examine it.
Those are good tips. I recently was asked to investigate someones box
that was broken into. He/she put the files in the /dev/ filesystem
which was an interesting trick - I guess its acts as a pseudo
RAM-disk. but he/she did not wipe logs, .bash_history, w, lastlog, or
last (wtmp or utmp) - which left a trail.
Chris
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
