Hackers are unstoppable!

[Michael Schwendt]

On Sun, 28 Aug 2005 17:43:51 -0400, Webmaster wrote:

> We have not been able to determine how a hacker was eble to crack one of 
> our hosts
> and deposit binaries on all the hosts in our network (all hosts are FC3).

Only those unimportant ones you listed? That doesn't look like it was a
hacker.
 
> A tripwire report shows the following binaries as being modified.

If you use Tripwire, you need to be careful after updates of your
installation. Update the Tripwire database at the right time, also to
accompany everything the prelinking cron job might have done.

> chkrootkit.0.45 sometimes
> reports that an LKM trojan has been installed, but it does not report a 
> problem each time it is invoked.

Give an example.  chkrootkit is not 100%, it just provides some default
searches. Threads hidden in the /proc fs can lead to false positives,
and so can rare files which match chkrootkit's checks, but are not
a hacker's work actually.

> Modified:
> "/usr/bin"
> "/usr/bin/411toppm"
> "/usr/bin/asciitopgm"
> "/usr/bin/atktopbm"
> "/usr/bin/bioradtopgm"
> "/usr/bin/bmptopnm"
> "/usr/bin/brushtopbm"
> "/usr/bin/cameratopam"
> "/usr/bin/cmuwmtopbm"
> "/usr/bin/ddbugtopbm"
> "/usr/bin/escp2topbm"
> "/usr/bin/eyuvtoppm"
> "/usr/bin/fiascotopnm"
> "/usr/bin/fitstopnm"
> "/usr/bin/fstopgm"
> "/usr/bin/g3topbm"
> "/usr/bin/gemtopnm"
> "/usr/bin/giftopnm"
> "/usr/bin/gouldtoppm"
> "/usr/bin/hdifftopam"
> "/usr/bin/hipstopgm"
> "/usr/bin/icontopbm"
> "/usr/bin/ilbmtoppm"
> "/usr/bin/imgtoppm"
> "/usr/bin/infotopam"
> "/usr/bin/jbigtopnm"
> "/usr/bin/jpeg2ktopam"
> "/usr/bin/jpegtopnm"
> "/usr/bin/leaftoppm"
> "/usr/bin/lispmtopgm"
> "/usr/bin/macptopbm"
> "/usr/bin/mdatopbm"
> "/usr/bin/mgrtopbm"
> "/usr/bin/mrftopbm"
> "/usr/bin/mtvtoppm"
> "/usr/bin/neotoppm"
> "/usr/bin/palmtopnm"
> "/usr/bin/pamarith"
> "/usr/bin/pamchannel"
> "/usr/bin/pamcomp"
> "/usr/bin/pamcut"
> "/usr/bin/pamdeinterlace"
> "/usr/bin/pamdice"
> "/usr/bin/pamditherbw"
> "/usr/bin/pamedge"
> "/usr/bin/pamendian"
> "/usr/bin/pamenlarge"
> "/usr/bin/pamfile"
> "/usr/bin/pamflip"
> "/usr/bin/pamfunc"
> "/usr/bin/pamgauss"
> "/usr/bin/pamlookup"
> "/usr/bin/pammasksharpen"
> "/usr/bin/pamoil"
> "/usr/bin/pamperspective"
> "/usr/bin/pampop9"
> "/usr/bin/pamscale"
> "/usr/bin/pamseq"
> "/usr/bin/pamsharpmap"
> "/usr/bin/pamsharpness"
> "/usr/bin/pamslice"
> "/usr/bin/pamstack"
> "/usr/bin/pamstereogram"
> "/usr/bin/pamstretch"
> "/usr/bin/pamsumm"
> "/usr/bin/pamsummcol"
> "/usr/bin/pamtodjvurle"
> "/usr/bin/pamtohdiff"
> "/usr/bin/pamtohtmltbl"
> "/usr/bin/pamtojpeg2k"
> "/usr/bin/pamtopfm"
> "/usr/bin/pamtopnm"
> "/usr/bin/pamtotga"
> "/usr/bin/pamtouil"
> "/usr/bin/pbmclean"
> "/usr/bin/pbmlife"
> "/usr/bin/pbmmake"
> "/usr/bin/pbmmask"
> "/usr/bin/pbmpage"
> "/usr/bin/pbmpscale"
> "/usr/bin/pbmreduce"
> "/usr/bin/pbmtext"
> "/usr/bin/pbmtextps"
> "/usr/bin/pbmto10x"
> "/usr/bin/pbmto4425"
> "/usr/bin/pbmtoascii"
> "/usr/bin/pbmtoatk"
> "/usr/bin/pbmtobbnbg"
> "/usr/bin/pbmtocmuwm"
> "/usr/bin/pbmtodjvurle"
> "/usr/bin/pbmtoepsi"
> "/usr/bin/pbmtoepson"
> "/usr/bin/pbmtoescp2"
> "/usr/bin/pbmtog3"
> "/usr/bin/pbmtogem"
> "/usr/bin/pbmtogo"
> "/usr/bin/pbmtoibm23xx"
> "/usr/bin/pbmtoicon"
> "/usr/bin/pbmtolj"
> "/usr/bin/pbmtoln03"
> "/usr/bin/pbmtolps"
> "/usr/bin/pbmtomacp"
> "/usr/bin/pbmtomatrixorbital"
> "/usr/bin/pbmtomda"
> "/usr/bin/pbmtomgr"
> "/usr/bin/pbmtomrf"
> "/usr/bin/pbmtonokia"
> "/usr/bin/pbmtopgm"
> "/usr/bin/pbmtopi3"
> "/usr/bin/pbmtopk"
> "/usr/bin/pbmtoplot"
> "/usr/bin/pbmtoppa"
> "/usr/bin/pbmtopsg3"
> "/usr/bin/pbmtoptx"
> "/usr/bin/pbmtowbmp"
> "/usr/bin/pbmtox10bm"
> "/usr/bin/pbmtoxbm"
> "/usr/bin/pbmtoybm"
> "/usr/bin/pbmtozinc"
> "/usr/bin/pbmupc"
> "/usr/bin/pc1toppm"
> "/usr/bin/pcxtoppm"
> "/usr/bin/pfmtopam"
> "/usr/bin/pgmabel"
> "/usr/bin/pgmbentley"
> "/usr/bin/pgmcrater"
> "/usr/bin/pgmenhance"
> "/usr/bin/pgmhist"
> "/usr/bin/pgmkernel"
> "/usr/bin/pgmminkowski"
> "/usr/bin/pgmmorphconv"
> "/usr/bin/pgmnoise"
> "/usr/bin/pgmramp"
> "/usr/bin/pgmtexture"
> "/usr/bin/pgmtofs"
> "/usr/bin/pgmtolispm"
> "/usr/bin/pgmtopbm"
> "/usr/bin/pgmtopgm"
> "/usr/bin/pgmtoppm"
> "/usr/bin/pi1toppm"
> "/usr/bin/pi3topbm"
> "/usr/bin/pjtoppm"
> "/usr/bin/pktopbm"
> "/usr/bin/pngtopnm"
> "/usr/bin/pnmalias"
> "/usr/bin/pnmcat"
> "/usr/bin/pnmcolormap"
> "/usr/bin/pnmcomp"
> "/usr/bin/pnmconvol"
> "/usr/bin/pnmcrop"
> "/usr/bin/pnmcut"
> "/usr/bin/pnmdepth"
> "/usr/bin/pnmgamma"
> "/usr/bin/pnmhisteq"
> "/usr/bin/pnmhistmap"
> "/usr/bin/pnmindex"
> "/usr/bin/pnminvert"
> "/usr/bin/pnmmontage"
> "/usr/bin/pnmnlfilt"
> "/usr/bin/pnmnorm"
> "/usr/bin/pnmpad"
> "/usr/bin/pnmpaste"
> "/usr/bin/pnmpsnr"
> "/usr/bin/pnmremap"
> "/usr/bin/pnmrotate"
> "/usr/bin/pnmscale"
> "/usr/bin/pnmscalefixed"
> "/usr/bin/pnmshear"
> "/usr/bin/pnmsmooth"
> "/usr/bin/pnmsplit"
> "/usr/bin/pnmstitch"
> "/usr/bin/pnmtile"
> "/usr/bin/pnmtoddif"
> "/usr/bin/pnmtofiasco"
> "/usr/bin/pnmtofits"
> "/usr/bin/pnmtojbig"
> "/usr/bin/pnmtojpeg"
> "/usr/bin/pnmtopalm"
> "/usr/bin/pnmtopclxl"
> "/usr/bin/pnmtopng"
> "/usr/bin/pnmtops"
> "/usr/bin/pnmtorast"
> "/usr/bin/pnmtorle"
> "/usr/bin/pnmtosgi"
> "/usr/bin/pnmtosir"
> "/usr/bin/pnmtotiff"
> "/usr/bin/pnmtotiffcmyk"
> "/usr/bin/pnmtoxwd"
> "/usr/bin/ppm3d"
> "/usr/bin/ppmbrighten"
> "/usr/bin/ppmchange"
> "/usr/bin/ppmcie"
> "/usr/bin/ppmcolormask"
> "/usr/bin/ppmcolors"
> "/usr/bin/ppmdim"
> "/usr/bin/ppmdist"
> "/usr/bin/ppmdither"
> "/usr/bin/ppmflash"
> "/usr/bin/ppmforge"
> "/usr/bin/ppmglobe"
> "/usr/bin/ppmhist"
> "/usr/bin/ppmlabel"
> "/usr/bin/ppmmake"
> "/usr/bin/ppmmix"
> "/usr/bin/ppmntsc"
> "/usr/bin/ppmpat"
> "/usr/bin/ppmrelief"
> "/usr/bin/ppmrough"
> "/usr/bin/ppmshift"
> "/usr/bin/ppmspread"
> "/usr/bin/ppmtoacad"
> "/usr/bin/ppmtoarbtxt"
> "/usr/bin/ppmtobmp"
> "/usr/bin/ppmtoeyuv"
> "/usr/bin/ppmtogif"
> "/usr/bin/ppmtoicr"
> "/usr/bin/ppmtoilbm"
> "/usr/bin/ppmtoleaf"
> "/usr/bin/ppmtolj"
> "/usr/bin/ppmtomitsu"
> "/usr/bin/ppmtompeg"
> "/usr/bin/ppmtoneo"
> "/usr/bin/ppmtopcx"
> "/usr/bin/ppmtopgm"
> "/usr/bin/ppmtopi1"
> "/usr/bin/ppmtopict"
> "/usr/bin/ppmtopj"
> "/usr/bin/ppmtopjxl"
> "/usr/bin/ppmtoppm"
> "/usr/bin/ppmtopuzz"
> "/usr/bin/ppmtorgb3"
> "/usr/bin/ppmtosixel"
> "/usr/bin/ppmtoterm"
> "/usr/bin/ppmtowinicon"
> "/usr/bin/ppmtoxpm"
> "/usr/bin/ppmtoyuv"
> "/usr/bin/ppmtoyuvsplit"
> "/usr/bin/ppmtv"
> "/usr/bin/ppmwheel"
> "/usr/bin/psidtopgm"
> "/usr/bin/pstopnm"
> "/usr/bin/qrttoppm"
> "/usr/bin/rasttopnm"
> "/usr/bin/rawtopgm"
> "/usr/bin/rawtoppm"
> "/usr/bin/rgb3toppm"
> "/usr/bin/rletopnm"
> "/usr/bin/sbigtopgm"
> "/usr/bin/sgitopnm"
> "/usr/bin/sirtopnm"
> "/usr/bin/sldtoppm"
> "/usr/bin/spctoppm"
> "/usr/bin/spottopgm"
> "/usr/bin/sputoppm"
> "/usr/bin/tgatoppm"
> "/usr/bin/thinkjettopbm"
> "/usr/bin/tifftopnm"
> "/usr/bin/wbmptopbm"
> "/usr/bin/winicontoppm"
> "/usr/bin/xbmtopbm"
> "/usr/bin/ximtoppm"
> "/usr/bin/xpmtoppm"
> "/usr/bin/xvminitoppm"
> "/usr/bin/xwdtopnm"
> "/usr/bin/ybmtopbm"
> "/usr/bin/yuvsplittoppm"
> "/usr/bin/yuvtoppm"
> "/usr/bin/zeisstopnm"

Post "rpm --query --all --last | head" please!