Mailinglist Archive: opensuse (3863 mails)
| < Previous | Next > |
Re: [SLE] chkroot claims top infected
- From: Thomas Jones <thomas.jones@xxxxxxxxxxxxxxxx>
- Date: Sun, 1 Feb 2004 22:07:59 -0800
- Message-id: <200402012207.59857.thomas.jones@xxxxxxxxxxxxxxxx>
On Sunday 01 February 2004 09:49 am, David Herman wrote:
> On Saturday 31 January 2004 11:14 pm, GarUlbricht7@xxxxxxxxxxxx wrote:
> > I am surprized that you have not posted this on
> > suse-security mailing list:
> > http://www.suse.com/us/private/support/online_help/mailinglists/index
> >.html
> >
> > Or maybe you have and I just missed it.
>
> ----------snip--------
> Actually I wasn't on that list until just now, I'll post there shortly
> unless someone beats me to it.
>
> I was really hoping that checkroot was giving a false positive. I did
> fill out the webform at feedback.suse but who knows how long that will
> take.
>
> see ya
> --
> dh
> Don't shop at GoogleGear.com!
A couple notes:
Have you checked your system logs?
Did you have wither an tripwire or AIDE database prior?
Check for deleted(possibly trojaned) executables via:
# file /proc/[0-9]*/exe|grep '(deleted)'
Also extract the binary version from the installation CD of ps,ls,who -----
commonly trojaned executables onto a floppy from another system. Write
protect it!
Then perform a compare of the valid(floppy) version against the possibly
trojaned executable via:
# cmp /media/floppy/valid_exec /bin/trojan_exec
This will do a byte-by-byte comparison of both executables.
You can search for the debugging symbols from the "trojaned" executable via:
# nm trojan_exec | more
Also check for any ascii text in the executable via:
# strings -a trojan_exec | more
HTH.
thomas
> On Saturday 31 January 2004 11:14 pm, GarUlbricht7@xxxxxxxxxxxx wrote:
> > I am surprized that you have not posted this on
> > suse-security mailing list:
> > http://www.suse.com/us/private/support/online_help/mailinglists/index
> >.html
> >
> > Or maybe you have and I just missed it.
>
> ----------snip--------
> Actually I wasn't on that list until just now, I'll post there shortly
> unless someone beats me to it.
>
> I was really hoping that checkroot was giving a false positive. I did
> fill out the webform at feedback.suse but who knows how long that will
> take.
>
> see ya
> --
> dh
> Don't shop at GoogleGear.com!
A couple notes:
Have you checked your system logs?
Did you have wither an tripwire or AIDE database prior?
Check for deleted(possibly trojaned) executables via:
# file /proc/[0-9]*/exe|grep '(deleted)'
Also extract the binary version from the installation CD of ps,ls,who -----
commonly trojaned executables onto a floppy from another system. Write
protect it!
Then perform a compare of the valid(floppy) version against the possibly
trojaned executable via:
# cmp /media/floppy/valid_exec /bin/trojan_exec
This will do a byte-by-byte comparison of both executables.
You can search for the debugging symbols from the "trojaned" executable via:
# nm trojan_exec | more
Also check for any ascii text in the executable via:
# strings -a trojan_exec | more
HTH.
thomas
| < Previous | Next > |