LinuxSA Mailing list archives
Index:
[thread]
[date]
[subject]
[author]
[stats]
From: Corey Gilmore <cfg@dln.uvm.edu>
To : LinuxSA <linuxsa@linuxsa.org.au>
Date: Mon, 23 Apr 2001 16:20:05 -0400 (EDT)
Re: /dev/.lib
You've been hit by the Lion worm or some variant similar to it...
sorry for long urls
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D75%26mid%3D171422
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26mid%3D7305
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D75%26mid%3D170856
.cfg
On Mon, 23 Apr 2001, Daryl Tester wrote:
> "Darryl Ross" <dross@syc.asn.au> wrote:
>
> > I've just gone through all my servers looking for /dev/.lib and sure enough
> > I found it on one of them (A RedHat box). Are there any other tell tale
> > signs I should be looking for to try and work out if a box has been hacked?
>
> Well, tripwire and FreeVeracity are the best tools for detecting this sort of
> thing, but they need to be set up before the invasion, not after. Sometimes
> executing a "find /dev -type f -print" reveals a fair bit, as root kits have been
> known to live under /dev (makedev should be the only file living in this
> tree), and quite often ls has been trojaned to prevent you from looking
> there (and ps from looking for running processes), but bear in mind that
> all of your binaries are now suspect.
>
> Regards,
> Daryl Tester
>
>
--
LinuxSA WWW: http://www.linuxsa.org.au/ IRC: #linuxsa on irc.linux.org.au
To unsubscribe from the LinuxSA list:
mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject
Index:
[thread]
[date]
[subject]
[author]
[stats]
Return to the LinuxSA Mailing List Information Page