Re: Help with virus/hackers

Alan Cox (alan@lxorguk.ukuu.org.uk)
17 Apr 2003 15:12:35 +0100


On Iau, 2003-04-17 at 14:55, Richard B. Johnson wrote:
> (2) Boot with init=/bin/bash

Doesnt help you
> (5) Examine /etc/inetd.conf (if one exists). If you see an
> unusual entry near the end, you have been 'rooted'. Newer
> systems use xinetd and won't get invaded this way.
Wrong. Old xinetd < 2.3.10 has remote root exploits and real
ones circulate
> (6) Check /etc/passwd for a strange account.
Rootkits patch other stuff
> (7) Check /bin/login for a new file-date.
> (8) Check /usr/sbin/sendmail for a new file-date.
> Check /usr/sbin/inetd ""
> Check /usr/sbin/xinetd ""
> Check /usr/sbin/syslogd ""
> Check /usr/sbin/klogd ""
> Check /usr/sbin/in.* ""

Rootkits know about avoiding this

> If none of these have recent writes, just change the password on
> the root account and be happy. You just has some file-system
> corruption and you can fix up /etc/DIR_COLORS (for your color-ls
> problem) and fix /etc/profile or /root/.bashrc, /root/.profile
> to fix the bad environment variables created by these scripts.

Never do this. You don't know what else has changed on the system. You
should always (barring odd exceptions) do a full reinstall. Also clean
user executable files if neccessary (roots .login is often archived and
people rerun exploits from it...)

See the cert documents on recovering from an attack

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/