On Thursday 11 October 2001 16.36, James Oakley wrote:
On October 10, 2001 11:13 am, Jesse Marlin wrote:
dog@intop.net writes:
okay, top gave you what it was supposed to, a list of processes running on the machine. some root kits will put a trojan in top and when you run it you get a root prompt, thats why i suggested running it and seeing what happened. if lsmod didnt work, try /sbin/lsmod
What happened on my system, was top filtered out the processes that the hacker was running, so I never saw them. Almost all the basic binaries had been replaced with versions that filtered this stuff. I originally discovered the offending processing by running 'lsof', which will show you file locks. I saw one in the list that looked funny, and started to investigate. That is when I discovered that ls, top, had been replaced. I was scratching my head for while, trying to figure out what was going on. Rebooting the system locked me out entirely. I could not replace the affected binaries because they had modified the ext2 flags. I ended reinstalling, because it would have been too much trouble to undo what had been done. As far as I could tell, all the hackers were doing was running an IRC server.
The first thing I do when I suspect something is type:
rpm -V ps
That will tell you if ps or top were changed or replaced, a very common thing in rootkits.
Unless of course rpm has been changed or replaced :) Rule of thumb: if you suspect a breakin, don't trust *any* tools on that computer. Disconnect, and mount drives readonly on a machine that's never been exposed to the net in any way.
In fact, I try to keep everything on my system in the RPM database specifically so that I can rpm -V it.
Won't help you, if the rpm database is on the compromised system. Put it on a CD immediately after installation, before going on the net.
Oh, BTW: everybody (and I mean EVERYBODY!) should have scanlogd installed and running. The package is in the sec diskset and you have to set START_SCANLOGD="yes" in rc.config. Every once in a while grep /var/log/messages for scanlogd messages and look at the following messages. It doesn't take a lot of time and it's worth it for the peace of mind alone. The vast majority of hack attempts follow a portscan...
regards Anders