Quick way to check for a rootkit. urpmi chkrootkit. Then when it's installed run it. Note...... if the hacker is sophisticated at all they may have changed your ls and other basic utilties. If chrootkit comes up negative, and you want to be positive about the results, go to another box that you know to be secure, and copy the following files into a directory .chkrootkit/bin
awk cut echo egrep find head id ls netstat ps sed strings uname (remember get ones from a box you know isn't' compromised) cp or ln -s your chkrootkit binaries into this your .chkrootkit directory they are check_wtmpx chklastlog chkproc chkrootkit chkwtmp ifpromisc strings To run this they all need to be in the same directory together. make sure everything is at least 700 in permissions then run. cd /location/of/chkrootkit/.chkrootkit/ ./chkrootkit -q -p /location/of/directory/.chkrootkit/bin (has to be full path name) the q means run quiet and supress unneeded reporting to the screen the p means use the utilities in this directory only. If they every again break into your box you can be pretty dang confident they won't know about or change these utilities. Just to be sure I added to /etc/cron.daily/slocate.cron the path to my .chkrootkit directory so that a locate command doesn't show it as existing. At this point if it shows clean you probably don't have a root kit .... but you may be rooted. Change ALL passwords immediately. Then start checking other ways for crackers to get in. I highly recommend running this as a cronjob at least daily. It may not hit everything but it will check the most common kiddy tools. Then take this IP number put it in /etc/ftpaccess and deny access to the ipnumber or block if you'd like. (see man ftpaccess for more info) This will for the moment block that IP from ftp access. (it won't stop it forever but it will give you time to do a more complete check.) Last .. once you are sure you are buttoned up again, and are sure the box is resecured. Install tripwire or some other detection tool. It's worth it. James On Thu, 27 Jun 2002 16:49:31 -0500 David Rankin <[EMAIL PROTECTED]> said with temporary authority > Guys, Gals: > > It looks like I may have been sucessfully hacked! I don't know and > I need your help to find out. I have had many fols test my > security, but nowone has gotten in until now. The following > appeared in a review of my syslog: > > Jun 17 23:52:57 Nemesis xinetd[27314]: START: ftp pid=26954 > from=210.180.201.125 > Jun 17 23:52:59 Nemesis xinetd[26954]: USERID: ftp OTHER :root > Jun 17 23:58:35 Nemesis xinetd[27314]: START: telnet pid=26963 > from=127.0.0.1 > Jun 18 00:08:02 Nemesis xinetd[27314]: EXIT: ftp pid=26954 > duration=905(sec) > > The 210 IP is some Korean address from the Asian Pacific Network. > > My first question is does it look like a successful hack? Second > question is, if so, what do I check to find out if they caused any > harm, installed a root kit, etc....? > > As always, thanks for any help you can provide. > > -- > David C. Rankin, J.D., P.E. > RANKIN * BERTIN, PLLC > 1329 N. University, Suite D4 > Nacogdoches, Texas 75961 > (936) 715-9333 > (936) 715-9339 fax > > > >
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
