On 8. Nov 2001 15:34 wrote Richard Clyne:
You could use a live eval version of the linux distribution to get 'safe' copies of the binaries.
You cannot trust a box which has been broken in. Backup - reinstall - patch - connect to the net.
You could use the live eval CD (booting from it!) to check what happened on the compromised machine.
And to answer the original question: a clever attacker would be able to change the entries in the /proc-fs
It's common to see machines where the attacker recompiled the whole kernel, "patching" all the right places to better hide himself. Changing the /proc files (that are used by many if not all system status commands) or patching open so that when you open some files you get the original version isn't that difficult, and some rootkits did this out-of-the-box. As a result, even "original" ls and ps binaries can't be trusted, even if you have statically linked versions:; they ask something to the kernel, and the *whole* kernel could have been changed (and syslog and uptime tampered with to hide the reboot). Beware however that before rebooting the compromised machine you should try to check what happened/is happening on it, to be able to understand what they did to you and how they where able to do it, so that they won't next time. This could involve sniffing all the unusual/strange traffic from/to the machine, backing up logs (shell histories also are very useful if the attacker isn't a professional ;-) and so on. Ciao, Roberto.