OT: Linux tip

Jay R. Ashworth jra at baylink.com
Thu Oct 18 12:47:45 PDT 2007


On Thu, Oct 18, 2007 at 12:30:13PM -0700, Bill Campbell wrote:
> On Thu, Oct 18, 2007, Jay R. Ashworth wrote:
> >I got rootkitted last month, on my sister's MythTV box, by a Polish IRC
> >bot I can't remember the name of just now, that turned up in a ps as
> >./miracle, and was in /var/tmp/keystuff.
> 
> I have a simple perl script, findexecs, that goes through
> directory trees looking for executable programs.  A quick check
> using ``findexec /tmp /dev /var/tmp'' will often turn up
> ``interesting'' things.

Assuming your rootkit doesn't break the ability of whatever system call
your perl script is using to prowl the tree with a loadable module.

> Typically the IRC is talking back to something in undernet.org.

This one was numeric.

> Another useful command is ``lsof -n -i | less'' then look for
> connections established to strange outside systems on unusual ports.

Oh: "ports".  :-)

> >I figured out where it was by going to /proc/PID/cwd, and that
> >suggested to me, just now, a pretty cool way to tell what's *really*
> >running on your machine, assuming someone hasn't monkeyed with ls and
> >/proc:
> >
> >ls -l /proc/*/exe
> 
> Crackers often mess with ps, ls, find, and other programs to hide
> their presence.  Slightly smarter crackers will set the immutable
> bit on their changed programs to make it a bit more difficult for
> one to fix them.  The commands ``lsattr'' and ``chattr'' are your
> friends (so far I haven't found a cracker who changed them :-).

Lucky us.

> On RPM based systems (SuSE, Red Hat, CentOS, etc.) ``rpm -V'' can
> be very useful to find changes by hackers.  It's no replacement
> for maintaining good intrusion detection software that makes it
> easy to detect new, missing, or changed files on the system.

Or, y'know, tripwire.

Cheers,
-- jra
-- 
Jay R. Ashworth                   Baylink                      jra at baylink.com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates     http://baylink.pitas.com                     '87 e24
St Petersburg FL USA      http://photo.imageinc.us             +1 727 647 1274


More information about the Filepro-list mailing list