On Thu, 2003-08-28 at 16:11, [EMAIL PROTECTED] wrote:
> Ok.. more updates...
>
> Did the following:
> rpm --root /mnt/sysimage-q --queryformat
> '%{NAME}-%{VERSION}-%{RELEASE}-%{ARCH}\n' glibc kernel
> (that should all be on one line)
>
> Here's the output:
> glibc-2.3.2-11.9-i686
> glibc-2.3.2-11.27-i686
> kernel-2.4.20-9-i686
> kernel-2.4.20-20.9-i686
> kernel-smp-2.4.20-9-i686
> kernel-smp-2.4.20-19.9-i686
> kernel-smp-2.4.20-20.9-i686
>
> This is an smp box.. it it 'normal' to have to glibc's listed?No, definitely not normal to have two glibc's. I'm not sure what would have caused that, unless you've been installing things with ugly options like --force. The current glibc package for RHL 9 is glibc-2.3.2-11.27 . > And I ram the rpm -V on the coreutils and received the following > > S.5....T /bin/basename That's not good. It means the "size", "md5sum," and "timestamp" are all wrong (see man rpm for the full description of the verify output). > " /bin/cat > " /bin/chgrp > > For net-tools I get the following.. > S.5....T /bin/hostname > S.5....T /bin/netstat > S.5....T /bin/ifconfig And that's a lot worse. The modified netstat is probably to hide connections to/from an attacking server. The modified ifconfig may be to hide an interface that's in promiscious mode. > Before I go any further.. what do you think? rootkitted? > My best guess is that you have been rootkitted. I would try to see if chkrootkit will run, but depending on how difficult it is to format and restore from backups, that's probably the best solution :-( Sometimes you can run "strings" on the compromized binaries and find evidence of various things, like hostnames that are to be exlcuded from netstat, etc. A google search on some of this output may tell you a lot more about the particular rootkit. There seem to be an amazing number of variations on any given rootkit, however. Of course, it would be nice to figure out how they got in. A common problem is to install updated packages via up2date, or other updating programs, but forgetting to restart the given service. Sometimes libraries like openssl will be used by other programs like Apache -- an openssl update requires a restart of Apache, and all other programs using it, before it's totally effective. Folks -- take this as a reminder that Windows isn't the only OS that can have security problems -- security affects all types of computing. --Jeremy -- /---------------------------------------------------------------------\ | Jeremy Portzer [EMAIL PROTECTED] trilug.org/~jeremy | | GPG Fingerprint: 712D 77C7 AB2D 2130 989F E135 6F9F F7BC CC1A 7B92 | \---------------------------------------------------------------------/
signature.asc
Description: This is a digitally signed message part
-- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
