Security Basics mailing list archives
Re: redhat audit
From: exon <exon () home se>
Date: Tue, 17 Jun 2003 12:41:53 +0200 (CEST)
man find and look into -mtime. It's not a very good method, however, since you're probably being duped by 'touch -r <origfile mv'd to preserve timestamp> backdoorfile' If this is not the case, you're looking at the results of a totally incompetent intruder who should be shot at sight. If I were you, I'd replace any and all process monitoring tools, network monitoring tools, file monitoring tools (find, ls, df, du), any network servers you have running on your system and any and all daemons that are running (including init, inetd and so on and so forth). You might also want to replace the shell you're using. It's rare, but heard of, that rootkits and backdoor systems include replacement gcc's, so that newly compiled sources ALL have backdoor code in them. A much more clever hack is to add simple server capabilities to the fork() function in libc, which is called by daemons to 'release' themselves of the current tty (sort of). Do 'netstat -lp --numeric-ports' to see what's running on your system, but after you've replaced it, mkay? When you've updated your system I suggest you run 'du -x / | grep "/." > dufile' to find the location of the rootkit installation. It will probably be in some directory that is present on all systems, but most newbies don't look in (like /var/log, or /var/spool) which the hacked shell (if any) won't let you cd to. Needless to say, you need to unplug the ethercable until you're done with the 'upgrading', and then look into the server software you're running to make sure it doesn't happen again. Now you may go paranoid and look over your shoulder. There's probably someone there. /Andy On Mon, 16 Jun 2003, Matthew Sallee wrote:
recently my redhat box was compromised and i'm auditing changes that were made (i didn't notice for several days). i've been trying to create a command that will allow me view all the files modified in the last x number of days. i've tried piping ls to grep with minimal success. any help is greatly appreciated... matt --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
--------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
Current thread:
- redhat audit Matthew Sallee (Jun 16)
- Re: redhat audit Benjamin A. Okopnik (Jun 17)
- Re: redhat audit Florian Streck (Jun 17)
- Re: redhat audit Rick Hale (Jun 17)
- Re: redhat audit Tim Greer (Jun 17)
- Re: redhat audit Devdas Bhagat (Jun 17)
- RE: redhat audit Shane Lahey (Jun 17)
- Re: redhat audit Steve Frank (Jun 17)
- Re: redhat audit Mike Pettinicchio (Jun 17)
- Re: redhat audit exon (Jun 17)
- Re: redhat audit Douglas K. Fischer (Jun 17)
- Re: redhat audit Ulrich Keil (Jun 17)
- Re: redhat audit Luigi R. F. McMinn (Jun 17)
- Re: redhat audit Jan De Luyck (Jun 17)
- Re: redhat audit Pierre BETOUIN (Jun 17)
- Re: redhat audit Mark Ng (Jun 17)
- Re: redhat audit Volker Kindermann (Jun 17)
- <Possible follow-ups>
- RE: redhat audit Duane Beck (Jun 17)
- Re: redhat audit Tace (Jun 17)
- RE: redhat audit Klotz, Brian (Jun 17)
(Thread continues...)