Last week I uncovered a RedHat box that had been rooted (fortunately it had only recently been installed and nothing important was on it.) Rather than me having to go through a hands-on intensive process of analyzing every other Linux system on the LAN are there tools that I can use to determine whether or not this SOB got into other systems?
Any pointers to where I can learn more about the different types of rootkits and how to counter or detect them are also welcome.
Thanks! --
i seem to remember freebsd having a nightly cronjob script that would save the md5sum of every file on the system to a file.. and then compare it with the md5sum of the same file that it generated 24 hours before. differences were mailed to root.. i always thought this to be a good idea, perhaps you could implement it yourself? seems like a simple shell script.
anyway, that solution doesnt work well in your current situation. do you have
another box w/ the same updates, that you know is clean? you could compare md5's from that one...
HTH,
-tom
Something like this can be done by utilities like tripwire. The catch is that they need to have been setup *before* the breakin occurs. I'm trying to play catchup here with systems that are in an unknown state of security (or lack thereof.)
I also know how to detect this particular hack but it involves a lot of manual effort with copying known good utilities (like ls and lsof) and examining a number of different directories and files. Quite time consuming.
--
Dan Coutu Managing Director Snowy Owl Internet Consulting, LLC http://www.snowy-owl.com/
_______________________________________________ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
