LinuxSA Mailing list archives

Index: [thread] [date] [subject] [author] [stats]

  From: Daryl Tester <Daryl.Tester@iocane.com.au>
  To  : Darryl Ross <dross@syc.asn.au>
        LinuxSA <linuxsa@linuxsa.org.au>
  Date: Mon, 23 Apr 2001 14:08:11 +0930

Re: /dev/.lib

"Darryl Ross" <dross@syc.asn.au> wrote:

> I've just gone through all my servers looking for /dev/.lib and sure enough
> I found it on one of them (A RedHat box). Are there any other tell tale
> signs I should be looking for to try and work out if a box has been hacked?

Well, tripwire and FreeVeracity are the best tools for detecting this sort of
thing, but they need to be set up before the invasion, not after.  Sometimes
executing a "find /dev -type f -print" reveals a fair bit, as root kits have been
known to live under /dev (makedev should be the only file living in this
tree), and quite often ls has been trojaned to prevent you from looking
there (and ps from looking for running processes), but bear in mind that
all of your binaries are now suspect.

Regards,
  Daryl Tester

-- 
LinuxSA WWW: http://www.linuxsa.org.au/  IRC: #linuxsa on irc.linux.org.au
To unsubscribe from the LinuxSA list:
  mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject

Index: [thread] [date] [subject] [author] [stats]

Return to the LinuxSA Mailing List Information Page