You may use tripwire after you clean your system.
Tripwire will check your system for changes in critical files.
Pablo
Craig Knox wrote:
>On Tue, 2002-04-02 at 23:16, Calin A. Culianu wrote:
>
>>Ok, so some hackers broke into one of our boxes and set up an ftp site.
>>They monopolized over 70gb of hard drive space with warez and porn. We
>>aren't really that upset about it, since we thought it was kind of funny.
>>(Of course we don't like the idea that they are using out bandwidth and
>>disk space, but we can easily remedy that).
>>
>>Anyway, the weird thing is they created 2 directories, both of which were
>>strangely hidden. You can cd into them but you can't ls them. I
>>
>>/usr/lib/ypx and /usr/man/ypx were the two directories that contained both
>>the ftp software and the ftp root. When you are in /usr/man and you do an
>>ls, you don't see the ypx directory (same when you are in /usr/lib). The
>>ls binary we got is right off the redhat cd so it shouldn't still be
>>compromised by whatever rootkit was installed.
>>
>>My question is this: can the data structures in ext2fs be somehow hacked
>>so a directory can't appear in a listing but can be otherwise located for
>>a stat or a chdir? I should think no.. maybe we still haven't gotten rid
>>of the rootkit...
>>
>
>If you are using the binary "ls" of the redhat CD they are probably
>using a kernel module to hide this directory.
>Have you tried running -> http://www.chkrootkit.org on the box?
>
>
>-
>To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
>the body of a message to majordomo@vger.kernel.org
>More majordomo info at http://vger.kernel.org/majordomo-info.html
>Please read the FAQ at http://www.tux.org/lkml/
>
>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Mon Apr 15 2002 - 22:00:22 EST