And again, as always mentioned on this list: If the machine was attacked and you have finished the forensic analysis, format the harddisk and do a fresh install from CD-ROM. It sure would help if you knew how the attacker came in, and which other machines on your net have also been compromised... Thomas
-----Ursprüngliche Nachricht----- Von: Togan Muftuoglu [mailto:toganm@turk.net] Gesendet: Samstag, 10. Februar 2001 12:48 An: SuSE Security Mail List Betreff: Re: [suse-security] server-check
Thomas Lamy wrote:
No, it's just your binaries are swapped with those from the root-kit, and these hide themselves... Get those binaries from a safe machine (better CD-ROM) into a temporary directory (for forensic analysis, do not overwrite any binaries nor reboot the machine!), and try it again with those safe binaries. You may also do an "rpm --verify -a > /tmp/some/file" to check the md5-hashes of all installed packages, to see if and which binaries on your sytem have been replaced by the attacker's root-kit.
(SH...T)
Ok can I run these tools from my laptop connected to my the f....ed machine via ethernet. ( I can use the live CD so those binaries on the laptop machine will not have the possibility to be hacked
Regards, Thomas
---------------------------------------------------------------------
To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- Togan Muftuoglu
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com