OT: Linux tip
Jay R. Ashworth
jra at baylink.com
Thu Oct 18 12:47:45 PDT 2007
On Thu, Oct 18, 2007 at 12:30:13PM -0700, Bill Campbell wrote:
> On Thu, Oct 18, 2007, Jay R. Ashworth wrote:
> >I got rootkitted last month, on my sister's MythTV box, by a Polish IRC
> >bot I can't remember the name of just now, that turned up in a ps as
> >./miracle, and was in /var/tmp/keystuff.
>
> I have a simple perl script, findexecs, that goes through
> directory trees looking for executable programs. A quick check
> using ``findexec /tmp /dev /var/tmp'' will often turn up
> ``interesting'' things.
Assuming your rootkit doesn't break the ability of whatever system call
your perl script is using to prowl the tree with a loadable module.
> Typically the IRC is talking back to something in undernet.org.
This one was numeric.
> Another useful command is ``lsof -n -i | less'' then look for
> connections established to strange outside systems on unusual ports.
Oh: "ports". :-)
> >I figured out where it was by going to /proc/PID/cwd, and that
> >suggested to me, just now, a pretty cool way to tell what's *really*
> >running on your machine, assuming someone hasn't monkeyed with ls and
> >/proc:
> >
> >ls -l /proc/*/exe
>
> Crackers often mess with ps, ls, find, and other programs to hide
> their presence. Slightly smarter crackers will set the immutable
> bit on their changed programs to make it a bit more difficult for
> one to fix them. The commands ``lsattr'' and ``chattr'' are your
> friends (so far I haven't found a cracker who changed them :-).
Lucky us.
> On RPM based systems (SuSE, Red Hat, CentOS, etc.) ``rpm -V'' can
> be very useful to find changes by hackers. It's no replacement
> for maintaining good intrusion detection software that makes it
> easy to detect new, missing, or changed files on the system.
Or, y'know, tripwire.
Cheers,
-- jra
--
Jay R. Ashworth Baylink jra at baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://baylink.pitas.com '87 e24
St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
More information about the Filepro-list
mailing list