[TriLUG] invisible directories...
Gregory Woodbury
ggw at wolves.homeip.net
Mon Apr 21 17:01:00 EDT 2003
"It was written once upon a time (by Paul D. Boyle):"
>
> Jeff Painter wrote:
> > I'm not sure of what the vulnerability was, but I did determine which
> > files were replaced.
> >
> > /bin/df
> > /bin/ls
> > /bin/netstat
> > /bin/ping
> >
> > I'll keep looking...
>
> These look pretty typical for the binaries which get replaced during an
> attack. The best thing to do is to wipe your disk clean (i.e. reformat
> it) and reinstall from virgin (i.e. CD-ROM) media. I assume you have
> backups of your /home and other user data or system specific directories.
> If not, then pretty much your only option is to hand pick your way through
> your system specific directories looking for nasties which may have been
> left behind. Hopefully, you won't miss anything.
>
> Good Luck,
Yes, good luck!
There is a chkrootkit program (chkroot.org?) that looks for the most
common trojans and backdoors. Tripwire is also a good change verifier
but takes a good bit of setting up and administration.
rpm -Va is a quick and dirty first look.
--
Gregory G. "Wolfe" Woodbury `-_-' Owner/Admin: wolves.durham.nc.us
ggw at wolves.durham.nc.us U
"The Line Eater is a Hug your wolf.
Boojum Snark"
More information about the TriLUG
mailing list