Peter,
I'm assuming you don't want to do any serious forensics on it.. and this
is just for "fun" so:
1. Unplug.
2. Assuming not a very sophisticated cracker (the git looks like he forgot
to trojan ps, or didn't setup the config files properly *sigh* and you
discovered it pretty easily), mount a cdrom with statically compiled
fileutils (e.g. find) and use that binary to search for whatever file
you're looking for.
3. Failing that, if you're absolutely positive that you *really* want to
find bindname.log - strings /dev/hda[1-x] or wherever.. | grep bind. Don't
forget to do that to your swap as well.. Once you've found the slice with
it in there, pull out TCT and play with grave-robber etc (if it has been
deleted). Or alternatively, grab a statically compiled version of lsof and
run it from CD to find the process and strace it etc... there's no
prescriptive definite.. it all depends on how much "fun" you want to have
and what you consider "fun"..
3a. For more fun, you may want to poke around /dev etc and look for dodgy
directory entries like ".. " etc..
4. Once you've had enough fun. Rebuild the box completely (you may want to
save the bind binary that is being run for later analysis for more fun if
you like.. but remember, we're assuming "fun" here - not forensics,
because we've already ruined our evidence.. :)
5. netstat -an |grep LIST on the newly built box and shutdown every
single damn thing that you don't specifically need/want and make sure they
don't come back back after a reboot!
6. For those services which you do want/need - upgrade their packages.
7. Reboot.
8. netstat -an|grep LIST - is this the output you want?
9. Plug the box back into the network.
10. There always has to be a step 10 in instructions right? .. so yeah..
step 10.. noop();
Needless to say, I'm not taking into account other boxes that are on your
network and whether you ftp/telnet etc between them or not - if so, assume
that he was also running a sniffer and has done other naughty things, so
verify all your boxen are healthy and change all your passwords etc.. and
if not already, use ssh/scp etc.. If you kept private keys on the box, you
may also want to change them too..
//umar.
> root 21835 0.0 0.5 1072 336 ? S N 11:31 0:00 ./bind
> 208.130.87.63 -v r
>
> as well as
>
> root 21297 0.0 0.6 1088 380 ? S N 11:22 0:00 tail -f
> bindname.log
>
> but I am unable to locater any file called bindname.log on my system ??
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
