On Wed, 1 Mar 2000, Ed Lazor wrote:
>
> > There were a whole shit-load of files that got changed. ls is one of them
> > that was changed. Get that put back and then go look at /tmp.
> > In there you
> > will find rk and rki. In the rk directory you will find rkinstall. It
> > contains a list of all the files that got changed.
>
> I must have lucked out. I grabbed a new copy of ls, checked, and didn't
> find rk in the tmp dir. Then I grabbed a new copy of find and ran
>
> find / -name 'rk*' -print
>
I don't know about how badly you got hacked etc. But I will tell you
this. If you don't format the drive and start over you will never know
100% if you are free of these hackers.
Depending on the skill level, the determination etc, of the hacker,
anything could have been done. Even the RPM stuff could be manipulated so
that it doesn't pick up any red flags.
Sometimes hackers don't change your binaries.........this way, your
binaries (find, ls, ps, login, etc) all look good. Instead they change
your libraries.......then you can switch out binaries all you want, but if
they patch something like crypt(), then you are pretty much screwed.
The first rule, is don't let yourself get hacked. The second rule, is if
you do get hacked, don't assume you can figure out everything the hacker
has done to the system, all you can do is a best attempt, but it would be
a far from trivial task to truely hunt it all down.
> and it didn't find anything.
>
> Maybe I lucked out?
>
> -Ed
>
>
> --
> To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
> as the Subject.
>
-----------------------------------------------------
Brian Feeny (BF304) [EMAIL PROTECTED]
318-222-2638 x 109 http://www.shreve.net/~signal
Network Administrator ShreveNet Inc. (ASN 11881)
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
