On 02/04/02 15:16 +0530, [EMAIL PROTECTED] wrote: <snip> > --> ---i-------- /bin/ls > > Who set this attribute? Why - no clues. Only I have the root password and > I hadn't done it. The file's modify time was March 22 20:21 and the logs > had been truncated before that. All the logs had no entries between Feb 17 > and March 22. Wooo, a r00ted box. If you want to do forensics, grab a forensic copy and analyse that. Rebuild this box. > As of now, I have checked /bin, /usr/bin, /sbin, /usr/sbin, /usr/X11R6/bin > with lsattr and any files with immutable (i) attribute have been reset and > the corresponding rpm reinstalled using the "--force" option. Ever heard of patches? > rpm -V also gives interesting results. All the files with i attribute set > had different sizes, MD5 checksums, and Mtimes than when installed. There > are many such files remaining but they dont have the i attribute set. Expected for a rooted box. Were any patches applied? > I am really worried. Some files I can identify as having been modified by > myself. Most others I haven't touched but still they are being shown as > modified. Which of them were modified by system processes and which by > this virus/trojan. I still dont know how the system was infected or if it > is cured or not. Nothing fixed until you rebuild and patched to the latest and greatest. Live on bugtraq, and the redhat-security list.
> I would like to know if any of you have had similar experiences. Any > pointers to good virus/trojan/security resources on the Internet would be > very helpful. How can I further protect my system and detect such > intrusions. How can I be sure that THIS attack has been cured. Use a firewall, don't install/run unnecessary services, don't use telnetd, use ssh, s/ftp/scp/....... > Please help people - I am at the end of my tether. Virus attack - that too > on Linux - It was supposed to be almost impossible. But a cracker attack/worm attack on any unpatched, badly admined system is very possible. Devdas Bhagat _______________________________________________ linux-india-help mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/linux-india-help
