On Tue, Dec 03, 2002 at 07:20:56AM -0600, Steve Strong wrote: > the file exists and has the permissions you list. I've re-installed the > passwd package from the CD, this should be the original, yes? > steve
You'd best also check the extended attributes via 'lsattr'. Contrary to "common knowledge", I've had no problem "de-rootkit"ing several cracked systems. (OTOH, I've been working in Unix since 1980; that may have something to do with it.) Essentially, there are only so many places to start programs; there are only so many critical commands they can attack; and there are only so many ways they can hide their footsteps. There are a few preparatory steps that are necessary. 1. Have a known good backup on disk somewhere. NOT on a machine at risk. (I actually run a 'tar' system backup on a per-partition basis to a network-mounted removabel drive.) 2. Squirrel away some critical commands. At a minimum, tar, ps, ls, ifconfig, passwd, login, rpm. Check that they don't need shared libraries--if they do, copy those, too. Keep chkrootkit in the 'safe' location(s), too. 3. Run chkrootkit daily on at-risk systems. Also, daily check for 'strange' files in /tmp and /usr/tmp. These will commonly be .files (e.g., .local). 4. At the first sign of trouble--something behaves 'funny', strange files, or a complaint from chkrootkit--take the system off-net and start your security audit. Injection points are /etc/rc.d, /etc/inittab, and the various crontabs and at jobs--this is where they'll try to start and re-start their own programs. As of step (4), the job shifts from mechanics to artform. They'll try to preserve the time/date stamp on normal commands such as 'ps', but commonly will fail to catch everything--especially in rc files or their own temp directories. Once you can nail a date and hour, search the whole system for any file created or modified on that date/time. Your logs will, generally, be worthless unless you've also sent them to another system (which should be firewalled) and/or to a hardcopy printer or write-only media. Run RPM to validate packages. And especially look for anything with attributes set via 'chattr'. Virtually _nothing_ uses this in a stock system--any set attributes are warning signs that they've been there. The whole process takes me ~60-90 minutes. Oh, and if you've good outbound rules on your firewall, they often can't clean up neatly. I've caught IP addresses and destination mail addresses and machine FQDNs this way, too. G'luck, -- Dave Ihnat [EMAIL PROTECTED] -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list