# sudo apt-get install chkrootkit
Andrew Perrin wrote:
I use debian, not redhat, so I can't use the .rpm advice. I checked most of the important binaries (top, ps, ls, bash) with an off-net debian machine of the same generation and found no differences in date or size. netstat shows nothing very interesting either.
ap
On Sun, 23 Feb 2003, Chris Hedemark wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Also a lot of rootkits are not smart enough to cover their tracks in the rpm database, so you can use rpm to compare what it thinks should be there with what is really there.
On Sunday, February 23, 2003, at 10:08 PM, Jon Carnes wrote:
boot with a rescue disk and check out your system. In particular look
at the dates on your library files and on key binaries like top, ls, ps,
netstat, etc... If you have another system running the same distro you
can check your binaries against those.
Using an unhacked netstat is a good way to find out if you've started to
send/receive on ports that you shouldn't.
This job is much easier if you have a back-up to compare with.
Personally I use an unmounted partition with a copy of my etc and my
/bin, /sbin, /usr/bin, /usr/sbin, and /lib directories. I can mount the
partition read-only and run a automated checkup on my system using
scripts and binaries located on the partition.
Good Luck - Jon Carnes
On Sun, 2003-02-23 at 21:48, Andrew Perrin wrote:
I came upstairs after a weekend mostly away from my computer to find it in
a nearly-hung state. Load (by top) was >10, and there were numerous
/USR/SBIN/CRON entries which, from the logs, look like they were trying to
run exim sessions:
Feb 23 07:38:01 joehill /USR/SBIN/CRON[13821]: (mail) CMD ( if [ -x
/usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ; fi)
Feb 23 07:53:01 joehill /USR/SBIN/CRON[13829]: (mail) CMD ( if [ -x
/usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ; fi)
(etc., etc.)
The other thing in the ps listing were several (three I think) instances
of:
modprobe -s -k -- net-pf-10
I do not have such a module, either loaded or available on the disk.
What's particularly worrisome is that this machine is behind another
machine running NAT, so it has only a private (192.168.0.x) address. The
NAT machine has nothing particularly suspicious about it. last commands on
both machine show only me logging in.
I would be a happier person if someone could provide a non-suspicious explanation for this.
-- pub 1024D/B663781B 2001-11-13 Joey O'Doherty <joey(at)odoherty(dot)net> Key fingerprint = F76B 9ACA 4197 C707 6E4D 2B78 E430 101A B663 781B
pgp00000.pgp
Description: PGP signature
