On Fri, 16 Feb 2001, Frank Carreiro wrote:
> do the following...
>
> ps aux
>
If he's been hacked by a rootkit, most likely /bin/ps has been replaced by
a bogus version that will not list the hacker's processes. Thus you won't
see that he's running an IRC server or whatever. Several other important
utilities are most likely replaced, too, such as ls, netstat, syslogd, rm.
The rootkits try to cover their tracks.
One way to tell if these utilities have been compromised is to issue the
following command:
lsattr /bin/ps
lsattr /bin/ls
...
If it returns with: ---i---- /bin/ps
then you know that the file has been replaced with the rootkit's
version.
If it returns with: -------- /bin/ps then it likely has not.
The way to be able to see what is actually running is to get your own
private copy of /bin/ps, ls, rm, netstat, syslogd, /etc/syslog.conf
from another machine (ftp or floppy), and I suggest you copy them to
some obscure subdirectory in your home dir, and give them obscure names
so the hacker can't easily see that you are onto him and trying to monitor
things.
You can always fire up a private copy of syslogd under a very common, but
obscure name and get it to log to a file other than /var/log/messages
again with a very bland sounding name somewhere else.
Then you can watch and catch him in the act.
However, don't hold any illusions of being able to find all the hackers
stuff and easily replacing it to get your system back. The only sane way
is to do a re-install. Also, don't try to watch for too long before you
re-install, because the hacker might be using your box as a base of attack
against other boxes, etc. Be curious for a short while. Maybe even get
lucky and catch a login in your private syslog, but don't spend too much
time.
I once had a box that I left as a "honey pot" - an standard RH 6.2 install
to see what would happen to it. I checked it every day. Sure enough, it
got hacked. I got my private copies of ps, etc and watched him run irc
server and some other stuff. I played with him some, killing his
processes, but he would start them up again. (He even had cron start
stuff up). I took quite awhile (like a whole day) checking every file in
every directory, comparing them to files on another freshly installed
system. I finally found his little nest of eggs in /usr/share. However,
you just never know what I missed and I spent a very very long day
checking. Not something I recommend.
As was recommended: pull the plug, re-install after backing up your data.
Next time, if you run up2date frequently (subscribe to redhat-watch and
redhat-announce listserves and get notified when there are updates)
to get updates from redhat, and if you use tcpwrappers with
/etc/hosts.deny = ALL: ALL, and only add back in what you trust in
/etc/hosts.allow, then you will be reasonably protected (well, you might
check /etc/inetd.conf or /etc/xinetd.d to see what unnecessary services
you can turn off). Also, install portsentry and you'll know what they are
banging on your machine (portsentry is available from powertools CD or
from powertools directory at the online redhat mirrors.)
--
***************************************************************************
Jerry Winegarden OIT/Technical Support Duke University
[EMAIL PROTECTED] http://www-jerry.oit.duke.edu
***************************************************************************
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
