http://www.chkrootkit.org/ a good thing to have in your toolbox..
Scott Morris [EMAIL PROTECTED] Cleverly Disguised As A Responsible Adult. pub 1024D/146D0BC9 2000-11-29 scmorris Key fingerprint = 5348 7697 85AA 2117 8E7C 9A13 26BA C4FF 146D 0BC9 On Sun, 23 Feb 2003, Andrew Perrin wrote: > I use debian, not redhat, so I can't use the .rpm advice. I checked most > of the important binaries (top, ps, ls, bash) with an off-net debian > machine of the same generation and found no differences in date or > size. netstat shows nothing very interesting either. > > ap > > ---------------------------------------------------------------------- > Andrew J Perrin - http://www.unc.edu/~aperrin > Assistant Professor of Sociology, U of North Carolina, Chapel Hill > [EMAIL PROTECTED] * andrew_perrin (at) unc.edu > > > On Sun, 23 Feb 2003, Chris Hedemark wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Also a lot of rootkits are not smart enough to cover their tracks in > > the rpm database, so you can use rpm to compare what it thinks should > > be there with what is really there. > > > > On Sunday, February 23, 2003, at 10:08 PM, Jon Carnes wrote: > > > > > boot with a rescue disk and check out your system. In particular look > > > at the dates on your library files and on key binaries like top, ls, > > > ps, > > > netstat, etc... If you have another system running the same distro you > > > can check your binaries against those. > > > > > > Using an unhacked netstat is a good way to find out if you've started > > > to > > > send/receive on ports that you shouldn't. > > > > > > This job is much easier if you have a back-up to compare with. > > > Personally I use an unmounted partition with a copy of my etc and my > > > /bin, /sbin, /usr/bin, /usr/sbin, and /lib directories. I can mount > > > the > > > partition read-only and run a automated checkup on my system using > > > scripts and binaries located on the partition. > > > > > > Good Luck - Jon Carnes > > > > > > On Sun, 2003-02-23 at 21:48, Andrew Perrin wrote: > > >> I came upstairs after a weekend mostly away from my computer to find > > >> it in > > >> a nearly-hung state. Load (by top) was >10, and there were numerous > > >> /USR/SBIN/CRON entries which, from the logs, look like they were > > >> trying to > > >> run exim sessions: > > >> > > >> Feb 23 07:38:01 joehill /USR/SBIN/CRON[13821]: (mail) CMD ( if [ -x > > >> /usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ; > > >> fi) > > >> Feb 23 07:53:01 joehill /USR/SBIN/CRON[13829]: (mail) CMD ( if [ -x > > >> /usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ; > > >> fi) > > >> > > >> > > >> (etc., etc.) > > >> > > >> The other thing in the ps listing were several (three I think) > > >> instances > > >> of: > > >> > > >> modprobe -s -k -- net-pf-10 > > >> > > >> I do not have such a module, either loaded or available on the disk. > > >> > > >> What's particularly worrisome is that this machine is behind another > > >> machine running NAT, so it has only a private (192.168.0.x) address. > > >> The > > >> NAT machine has nothing particularly suspicious about it. last > > >> commands on > > >> both machine show only me logging in. > > >> > > >> I would be a happier person if someone could provide a non-suspicious > > >> explanation for this. > > >> > > >> > > >> Thanks. > > >> > > >> ---------------------------------------------------------------------- > > >> Andrew J Perrin - http://www.unc.edu/~aperrin > > >> Assistant Professor of Sociology, U of North Carolina, Chapel Hill > > >> [EMAIL PROTECTED] * andrew_perrin (at) unc.edu > > >> > > >> > > >> _______________________________________________ > > >> TriLUG mailing list > > >> http://www.trilug.org/mailman/listinfo/trilug > > >> TriLUG Organizational FAQ: > > >> http://www.trilug.org/~lovelace/faq/TriLUG-faq.html > > > > > > > > > _______________________________________________ > > > TriLUG mailing list > > > http://www.trilug.org/mailman/listinfo/trilug > > > TriLUG Organizational FAQ: > > > http://www.trilug.org/~lovelace/faq/TriLUG-faq.html > > > > > > > > > > Chris Hedemark > > PGP/GnuPG Public Key at http://yonderway.com/chris/hedemark.gpg > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.2.1 (Darwin) > > > > iD8DBQE+WY/0YPuF4Zq9lvYRAlaHAKDbXzFt41zNf/PwXRfxwRVzwfQ7MwCfSv3u > > kQY1+gON2bjUQWsjxDBRWf0= > > =Jvbh > > -----END PGP SIGNATURE----- > > > > _______________________________________________ > > TriLUG mailing list > > http://www.trilug.org/mailman/listinfo/trilug > > TriLUG Organizational FAQ: > > http://www.trilug.org/~lovelace/faq/TriLUG-faq.html > > > > _______________________________________________ > TriLUG mailing list > http://www.trilug.org/mailman/listinfo/trilug > TriLUG Organizational FAQ: > http://www.trilug.org/~lovelace/faq/TriLUG-faq.html > _______________________________________________ TriLUG mailing list http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ: http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
