1) Compile a new kernel 2) Replace ps 3) Replace top 4) Replace init 5) Replace ls 6) Replace netstat 7) Format and reinstall.
Sorry, Shane O. On 8/5/05, Brian McCullough <[EMAIL PROTECTED]> wrote: > On Fri, Aug 05, 2005 at 03:33:25PM -0400, Michael Alan Dorman wrote: > > > > Try using lsattr to look at the attributes of the file---if a file is > > marked i (for immutable), then chattr -i install-info will make it > > read/write, but I'll go ahead and mention that the only time I've ever > > seen a file or bits of files go suddenly immutable was when a box I > > had once administered was hacked. > > > Bingo! Chkrootkit says that I have Suckit. > > OK, now what? I gather that I will need to compile a new kernel, change > the immutable bit in /usr/sbin/*, replace ps, top, ls, init, netstat. > Anything else? Any suggestions for plugging the hole after the horse > has bolted? > > On a network that has apparently no holes except ssh and mail ( but not > betting on it ) was this penetration definitely from inside, or could it > have come in from outside? > > > Brian > > > > -- > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > TriLUG Organizational FAQ : http://trilug.org/faq/ > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ > TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc > > -- Shane O. ======== Shane O'Donnell [EMAIL PROTECTED] ==================== -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
