Security Incidents mailing list archives
Re: Rooted through in.identd on Red Hat 6.0
From: jose () BIOCSERVER BIOC CWRU EDU (Jose Nazario)
Date: Fri, 21 Apr 2000 16:22:20 -0400
On Thu, 20 Apr 2000, Cold Fire wrote:
They are the datafile used by trojaned netstat/ps, it looks as if /dev/cui220 is the date file for ps, stoping ps displaying the 'sh' 'bnc' 'slice2' and 'pt07' processes.
this sounds like a trivial variant of LRK4, Linux RooKit 4 (see packetstorm for the code). last month myself and another analyst wrote about our experiences with Shaft and how we found it on a system, mainly as instructions to other admins on how to examine a compromised box. while nothing new in terms of analysis methods, i think it's been pretty clear and useful for people. it's a decent demonstration of lrk4 in the wild. the link is: http://biocserver.bioc.cwru.edu/~jose/shaft_analysis/node-analysis.txt the point is that ls, find, etc.. have all most likely been trojanned, making investigatory work worth doing from a boot floppy with some tools (like find, ls, etc...) or mounting the disk in a new system. i think our experiences we detail in that document underscore that point. always mount noexec and read-only, it will save your ass. i hope this helps. i'm writing a paper, albeit slowly, on using the /proc tree in Linux for forensic work which should be useful for incident handling, too. jose nazario jose () biochemistry cwru edu PGP fingerprint: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc
Current thread:
- Re: CGI scans from Strauss.udel.edu -- They're back, (continued)
- Re: CGI scans from Strauss.udel.edu -- They're back Bryan Seitz (Apr 19)
- Re: CGI scans from Strauss.udel.edu -- They're back Marcelo Magnasco (Apr 18)
- Rooted through in.identd on Red Hat 6.0 Del Elson (Apr 18)
- Re: Rooted through in.identd on Red Hat 6.0 Sebastian (Apr 20)
- Re: Rooted through in.identd on Red Hat 6.0 Dmitry Alyabyev (Apr 20)
- RH6.1/IPChains box hacked J. J. Horner (Apr 20)
- Re: RH6.1/IPChains box hacked Jon Lewis (Apr 21)
- Re: RH6.1/IPChains box hacked mad () STUDENTS ZCU CZ (Apr 21)
- Re: RH6.1/IPChains box hacked Del Elson (Apr 24)
- Re: Rooted through in.identd on Red Hat 6.0 Cold Fire (Apr 20)
- Re: Rooted through in.identd on Red Hat 6.0 Jose Nazario (Apr 21)
- Re: Rooted through in.identd on Red Hat 6.0 Richard Wash (Apr 20)
- Re: Rooted through in.identd on Red Hat 6.0 J. J. Horner (Apr 20)
- Re: Rooted through in.identd on Red Hat 6.0 Del Elson (Apr 21)
- Re: Rooted through in.identd on Red Hat 6.0 jms (Apr 21)
- !!!Linux ELF infector!!! dEStr0YEr (Apr 21)
- Re: !!!Linux ELF infector!!! John Flux (Apr 24)
- BIND 8.2.2.-P3, 0-day exploit Patrick Oonk (Apr 22)
- Re: BIND 8.2.2.-P3, 0-day exploit Jon Lewis (Apr 24)
- Re: BIND 8.2.2.-P3, 0-day exploit kj (Apr 24)
- Odd snmp scans from 10.0.0.0/8 address ??? Russell Fulton (Apr 25)