LinuxSA Mailing list archives

  From: Tim Aslat <tim@spyderweb.com.au>
  To  : LinuxSA <linuxsa@linuxsa.org.au>
  Date: Mon, 23 Apr 2001 12:33:49 +0930

Re: /dev/.lib

Darryl Ross wrote:
> 
> Hey All,
> I've just gone through all my servers looking for /dev/.lib and sure enough
> I found it on one of them (A RedHat box). Are there any other tell tale
> signs I should be looking for to try and work out if a box has been hacked?

the surest sign is a user added to the /etc/passwd file with uid of 0 that you
didn't put there.  other things to look for, are changes to /bin/login
/usr/bin/passwd 
these may not be easy to spot as the datestamps are probably the same, but if
you install the util-linux packages again, that should give you an indication,
or at least it will recover the /bin/login executable.

One trick I've used before is the locate command 'locate " "' or 'locate "..."'
or similar combination will generally find something even if ls has been hacked
to not show it up.  

The safest and surest method of making sure, is to re-install from a known
secure media (original CD) applying latest patches & updates, and generally
reading the security howto's.

I realise that this can be a pain in the behind, but it's better than having a
server/box of unknown security attached to your network.


-- 
Tim Aslat tim@spyderweb.com.au | To err is human...to really foul up 
Spyderweb Consulting           | requires the root password.
http://www.spyderweb.com.au    |                   -- anon
Phone: +61 8 82270800          |
Mobile: +61 401088479          | #include <disclaimer.h>

-- 
LinuxSA WWW: http://www.linuxsa.org.au/  IRC: #linuxsa on irc.linux.org.au
To unsubscribe from the LinuxSA list:
  mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject