Box Cracked ( Was: thank's )

Manuel Arostegui Ramirez manuel at todo-linux.com
Sun Oct 21 07:43:34 UTC 2007 

El Domingo, 21 de Octubre de 2007 01:52, John Summerfield escribió:
> bob.smith at kolumbus.fi wrote:
> > Manuel Arostegui Ramirez <manuel at todo-linux.com> kirjoitti:
> >> El Sábado, 20 de Octubre de 2007 16:37, Les Mikesell escribió:
> >> > Note that if the box has been cracked with a typical rootkit, the
> >> > netstat program (and ps, ls, etc.) will have been replaced with
> >>
> >> versions
> >>
> >> >   that don't show what is really going on.
> >>
> >> Absolutely.
> >> The thing is that the original poster have not provided any
> >> information or any thought that lead him to think he has been hacked,
> >> so we're just guessing...
> >>
> >> I just think he don't have any idea about what's going on on his
> >> system, so we don't know if he already ran rkhunter or similar to find
> >> out if there's any well-known rootkit installed...
> >>
> >> Let's wait...
> >>
> >> All the best
> >> Manuel
> >>
> >> --
> >> Manuel Arostegui Ramirez.
> >>
> >> Electronic Mail is not secure, may not be read every day, and should not
> >> be used for urgent or sensitive issues.
> >
> > Attached tmp directory ls -lR, anything unnormal to your eyes there?
>
> If you think you've been rooted, assume it's been done properly*, and do
> your forensics from RO media.
>
> I think insert linux is a forensic kit, look at distrowatch for it: with
> a name like that, google's probably not going to help.
>
> At a pinch you can boot the rescue disk and "DO NOI" chroot to the
> system. Use find to look for strange binaries in strange places, run
> "rpm -Va" to check for replaced binaries (I don't suppose a negative
> finding is entirely trustworthy) and "rpm -qa --last" to see what's
> installed recently.
>
>
> Also, look at all users' .bash_history; I have seen careless intruders
> leave evidence there.
>
> You could also compare the sizes of ls, find, ps with the sizes of
> known-good ones; it's highly likely an intruder would replace those
> binaries, and some others.
>
>
>
>
> * "Properly" means find, ls, ps, lsof, netstat are all altered to hide
> the fact you-re 0wned.
>

Sometimes it's useful to look in /etc/passwords for new users created with uid 
0.
It's a good idea to create users such like smtp, smtprelay, systemuser or that 
sort of names which, in the beggining doesn't seem to be suspicius and give 
them the uid 0...
So it's a good idea to look for other users with the 0 uid despide of root.

Manuel

-- 
Manuel Arostegui Ramirez.

Electronic Mail is not secure, may not be read every day, and should not
be used for urgent or sensitive issues.

More information about the fedora-list mailing list