Mailinglist Archive: opensuse-security (605 mails)

< Previous Next >
Re: [suse-security] Am I hacked???
  • From: Maarten J H van den Berg <maarten@xxxxxxx>
  • Date: Fri, 12 Oct 2001 10:29:25 +0200
  • Message-id: <01101210292500.29635@itux>
On Friday 12 October 2001 06:41, Togan Muftuoglu wrote:
> * Eric Whiting; <ewhiting@xxxxxxxx> on 11 Oct, 2001 wrote:
> > I did a check of all /usr/bin /bin/ /sbin files. They all still have
> > the same checksum as these files on a box in another safer world. (I
> > used rsync -cnR -av -e ssh $SRC $DST to check these dirs) I did a
> > manual scp/diff of netstat/ps/ls/strings.
>
> ^^^^^^^^^^^^^^^^
>
> These would be the first to be replaced by an attacker AFAIK inorder to
> hide the files/directories he has installed. So unless you are using
> these utilities from a safe source I would not have trusted them.

For what it's worth... give 'chkrootkit' a try.
It already works remarkably well IMHO, even(!) when it runs directly from
a compromised system. If (much, much better!) you run it from safe media
it will probably find [close to] any and all scriptkiddie(*) rootkits
that are in common use today.
Of course, YMMV, and all disclaimers apply etc etc...

http://www.chkrootkit.org/

(*) Unlike scriptkiddies, good crackers/hackers can hide from just about
anything but that's another story. Just pray you don't get to deal with
one of those people. ;-)

Good luck,
Maarten

--
brick (brik) n. (4) pl. Another item that can be used to crash windows.

Maarten J. H. van den Berg ~~//~~ network administrator
van Boetzelaer van Bemmel - Amsterdam - The Netherlands
http://vbvb.nl T+31204233288 F+31204233286 G+31651994273

< Previous Next >