23 Mar
2000
23 Mar
'00
13:15
On Wed, 22 Mar 2000, Frank Derichsweiler wrote:
the box of a friend was hacked: /bin/ps /bin/login /bin/ls were replaced / trojaned. The original files were placed in /bin/bincp (which is not shown by ls, but cd into that dir works fine)
Tips who to detect which root kit was used are welcome, too.
Hi! We had a breakin not long ago and the part about hidden dirs sounds familiar. The intruder used a kernel-based root kit for 2.2 kernels, Knark v0.50, which would put some info about hidden dirs and some other info into (hidden) /proc/knark dir. Check for it. I could also post the README file from the root kit, maybe that could give you some more clues? Regards, Daniel.