I use debian, not redhat, so I can't use the .rpm advice. I checked most of the important binaries (top, ps, ls, bash) with an off-net debian machine of the same generation and found no differences in date or size. netstat shows nothing very interesting either.
ap ---------------------------------------------------------------------- Andrew J Perrin - http://www.unc.edu/~aperrin Assistant Professor of Sociology, U of North Carolina, Chapel Hill [EMAIL PROTECTED] * andrew_perrin (at) unc.edu On Sun, 23 Feb 2003, Chris Hedemark wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Also a lot of rootkits are not smart enough to cover their tracks in > the rpm database, so you can use rpm to compare what it thinks should > be there with what is really there. > > On Sunday, February 23, 2003, at 10:08 PM, Jon Carnes wrote: > > > boot with a rescue disk and check out your system. In particular look > > at the dates on your library files and on key binaries like top, ls, > > ps, > > netstat, etc... If you have another system running the same distro you > > can check your binaries against those. > > > > Using an unhacked netstat is a good way to find out if you've started > > to > > send/receive on ports that you shouldn't. > > > > This job is much easier if you have a back-up to compare with. > > Personally I use an unmounted partition with a copy of my etc and my > > /bin, /sbin, /usr/bin, /usr/sbin, and /lib directories. I can mount > > the > > partition read-only and run a automated checkup on my system using > > scripts and binaries located on the partition. > > > > Good Luck - Jon Carnes > > > > On Sun, 2003-02-23 at 21:48, Andrew Perrin wrote: > >> I came upstairs after a weekend mostly away from my computer to find > >> it in > >> a nearly-hung state. Load (by top) was >10, and there were numerous > >> /USR/SBIN/CRON entries which, from the logs, look like they were > >> trying to > >> run exim sessions: > >> > >> Feb 23 07:38:01 joehill /USR/SBIN/CRON[13821]: (mail) CMD ( if [ -x > >> /usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ; > >> fi) > >> Feb 23 07:53:01 joehill /USR/SBIN/CRON[13829]: (mail) CMD ( if [ -x > >> /usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ; > >> fi) > >> > >> > >> (etc., etc.) > >> > >> The other thing in the ps listing were several (three I think) > >> instances > >> of: > >> > >> modprobe -s -k -- net-pf-10 > >> > >> I do not have such a module, either loaded or available on the disk. > >> > >> What's particularly worrisome is that this machine is behind another > >> machine running NAT, so it has only a private (192.168.0.x) address. > >> The > >> NAT machine has nothing particularly suspicious about it. last > >> commands on > >> both machine show only me logging in. > >> > >> I would be a happier person if someone could provide a non-suspicious > >> explanation for this. > >> > >> > >> Thanks. > >> > >> ---------------------------------------------------------------------- > >> Andrew J Perrin - http://www.unc.edu/~aperrin > >> Assistant Professor of Sociology, U of North Carolina, Chapel Hill > >> [EMAIL PROTECTED] * andrew_perrin (at) unc.edu > >> > >> > >> _______________________________________________ > >> TriLUG mailing list > >> http://www.trilug.org/mailman/listinfo/trilug > >> TriLUG Organizational FAQ: > >> http://www.trilug.org/~lovelace/faq/TriLUG-faq.html > > > > > > _______________________________________________ > > TriLUG mailing list > > http://www.trilug.org/mailman/listinfo/trilug > > TriLUG Organizational FAQ: > > http://www.trilug.org/~lovelace/faq/TriLUG-faq.html > > > > > > Chris Hedemark > PGP/GnuPG Public Key at http://yonderway.com/chris/hedemark.gpg > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.1 (Darwin) > > iD8DBQE+WY/0YPuF4Zq9lvYRAlaHAKDbXzFt41zNf/PwXRfxwRVzwfQ7MwCfSv3u > kQY1+gON2bjUQWsjxDBRWf0= > =Jvbh > -----END PGP SIGNATURE----- > > _______________________________________________ > TriLUG mailing list > http://www.trilug.org/mailman/listinfo/trilug > TriLUG Organizational FAQ: > http://www.trilug.org/~lovelace/faq/TriLUG-faq.html > _______________________________________________ TriLUG mailing list http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ: http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
