Dear Lewi (et al.), On Wed, 28 Aug 2002 22:10:06 +0700, Lewi <[EMAIL PROTECTED]> wrote:
> I just checking whereis passwd place from, when I run this > # whereis passwd > passwd: /bin/passwd /usr/bin/passwd /etc/passwd.OLD /etc/passwd > /usr/share/man/man1/passwd.1.gz > > then I checked > # rpm -qf /bin/passwd > file /bin/passwd is not owned by any package > > # rpm -ql passwd-0.64.1-4 > /etc/pam.d/passwd > /usr/bin/passwd > /usr/share/man/man1/passwd.1.gz > > so where /bin/passwd come from?? > I checked using whether maybe I can get something, > # string /bin/passwd > but I don't found any suspicious line > I attached in here, sory if too big, it just 3,5kb :) > I'm using rh7.1 > > <snip> Yes, this looks very wrong, so you may have been "rooted." I'd run "pstree -u" and see if there are any strange new processes operating. The "top" command might work, and obviously the /proc file system will give you all the process information, but you may not get a straight answer from "ps" since some rootkits replace it with a broken version that shows you only the normal processes. Also, look at your inetd/xinetd configuration and /etc/services to see if anything has been changed. Running "netstat" will give you some of that information. Are your log files intact (no files or lines obviously missing)? Were you running tripwire, and, if so, are the databases backed up? There is a rootkit sniffer that will search for known malicious code on a filesystem; I forget the name but it is documented on www.insecure.org. At some point, when you've seen and documented what you wanted to see about the state of the running system, by all means SHUT IT DOWN unless it is somehow mission critical to let it run. I was "rooted" twice last fall, on both a company server and my home system (using the same vulnerability in ssh-1.x.something, so I felt really stupid). Since then I've learned that a) security compromises are no fun and b) protecting against them is very serious business. I'd like to provide more support, but for confidentiality reasons it might be better to take it off-line until you have cleared this up. Then perhaps you can post a summary to the list. Go ahead and e-mail me directly -- from a system that isn't compromised... :) Truly, Jonathan -- / Jonathan R. Johnson | "Every word of God is flawless." \ | Minnetonka Software, Inc. | -- Proverbs 30:5 | \ [EMAIL PROTECTED] | My own words only speak for me. / -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
