FWIW, I've also found a lot of rootkits hidden in the /home and games directories on various systems. For starters, I'd also compare the sizes of your various utils, like top, ls, more, etc to known good utils. If you can mount the infected disk on another clean server as RO to analyze it, that would also make diagnosis easier.
This is an example of the manual effort that I'm trying to avoid. Doing this with upward of 40 systems takes too long and results in way too much downtime.
The chkrootkit package is a quick once over. The best place to look is in /dev, as that's where a lot of rootkits hide their stuff. I find a command like this is pretty useful:
find /dev -ls -maxdepth 1|grep d[-r][-w]
I'm pulling over the chkrootkit package. Sounds like exactly what I'm looking for!
and then make sure those directories that it returns are actually supposed to be there. ls is almost always trojaned, hence the reason to use find.
FYI, in this case a lot of utilities were trojaned. The list is:
dir, find, locate, md5sum, pstree, slocate, top, lsof, ifconfig, syslogd, login, ls, netstat, and ps. Interestingly I was able to determine this because all of these were owned by a regular user account rather than root!
The system also had these odd things: two hidden directories (that I've found, there may be more) /var/nis/..\ \ (that's two dots and two spaces) and /etc/nhm/... (three dots.) Both had binary and data files used to get at things that you'd rather keep private and included a trojaned httpd and a utility called write that was collecting data to be sent elsewhere. There was also a file /etc/cron.daily/sync that sends email to a yahoo.com account with the contents of /etc/.mc
In /var/tmp there was a file t.tgz that contained a file called t which had been unpacked in that same directory with owner of root and t was setuid, setgid containing binary data. The file utility did not think it was a normal executable though.
--
Dan Coutu Managing Director Snowy Owl Internet Consulting, LLC http://www.snowy-owl.com/
_______________________________________________ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
