[TriLUG] Odd
Shane O'Donnell
shaneodonnell at gmail.com
Fri Aug 5 21:28:28 EDT 2005
1) Compile a new kernel
2) Replace ps
3) Replace top
4) Replace init
5) Replace ls
6) Replace netstat
7) Format and reinstall.
Sorry,
Shane O.
On 8/5/05, Brian McCullough <bdmc at bdmcc-us.com> wrote:
> On Fri, Aug 05, 2005 at 03:33:25PM -0400, Michael Alan Dorman wrote:
> >
> > Try using lsattr to look at the attributes of the file---if a file is
> > marked i (for immutable), then chattr -i install-info will make it
> > read/write, but I'll go ahead and mention that the only time I've ever
> > seen a file or bits of files go suddenly immutable was when a box I
> > had once administered was hacked.
>
>
> Bingo! Chkrootkit says that I have Suckit.
>
> OK, now what? I gather that I will need to compile a new kernel, change
> the immutable bit in /usr/sbin/*, replace ps, top, ls, init, netstat.
> Anything else? Any suggestions for plugging the hole after the horse
> has bolted?
>
> On a network that has apparently no holes except ssh and mail ( but not
> betting on it ) was this penetration definitely from inside, or could it
> have come in from outside?
>
>
> Brian
>
>
>
> --
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
>
>
--
Shane O.
========
Shane O'Donnell
shaneodonnell at gmail.com
====================
More information about the TriLUG
mailing list