On Friday 12 October 2001 06:41, Togan Muftuoglu wrote:
* Eric Whiting;
on 11 Oct, 2001 wrote: I did a check of all /usr/bin /bin/ /sbin files. They all still have the same checksum as these files on a box in another safer world. (I used rsync -cnR -av -e ssh $SRC $DST to check these dirs) I did a manual scp/diff of netstat/ps/ls/strings.
^^^^^^^^^^^^^^^^
These would be the first to be replaced by an attacker AFAIK inorder to hide the files/directories he has installed. So unless you are using these utilities from a safe source I would not have trusted them.
For what it's worth... give 'chkrootkit' a try. It already works remarkably well IMHO, even(!) when it runs directly from a compromised system. If (much, much better!) you run it from safe media it will probably find [close to] any and all scriptkiddie(*) rootkits that are in common use today. Of course, YMMV, and all disclaimers apply etc etc... http://www.chkrootkit.org/ (*) Unlike scriptkiddies, good crackers/hackers can hide from just about anything but that's another story. Just pray you don't get to deal with one of those people. ;-) Good luck, Maarten -- brick (brik) n. (4) pl. Another item that can be used to crash windows. Maarten J. H. van den Berg ~~//~~ network administrator van Boetzelaer van Bemmel - Amsterdam - The Netherlands http://vbvb.nl T+31204233288 F+31204233286 G+31651994273