Re: Help with virus/hackers

From: John Jasen (jjasen@realityfailure.org)
Date: Thu Apr 17 2003 - 10:31:53 EST


If you really want to examine the remains of a compromise, boot from a
CD-based distro or something like that, and mount the partitions
read-only.

If you don't want to, or have no idea what you're looking at, as Alan
said, recover and verify user data, then reformat and reinstall.

On 17 Apr 2003, Alan Cox wrote:

> > (7) Check /bin/login for a new file-date.
> > (8) Check /usr/sbin/sendmail for a new file-date.
> > Check /usr/sbin/inetd ""
> > Check /usr/sbin/xinetd ""
> > Check /usr/sbin/syslogd ""
> > Check /usr/sbin/klogd ""
> > Check /usr/sbin/in.* ""
>
> Rootkits know about avoiding this

Oh, yes. If you were running tripwire, and being good about keeping the
database somewhere on read-only media, you might be able to detect file
modifications. Place emphasis on might.

> Never do this. You don't know what else has changed on the system. You
> should always (barring odd exceptions) do a full reinstall. Also clean
> user executable files if neccessary (roots .login is often archived and
> people rerun exploits from it...)

I'm trying to think up one of those odd situations ...

-- 
-- John E. Jasen (jjasen@realityfailure.org)
-- User Error #2361: Please insert coffee and try again.

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Wed Apr 23 2003 - 22:00:21 EST