LinuxSA Mailing list archives

  From: Adam Hawes <adam.hawes@flinders.edu.au>
  To  : Richard Russell <richard@yellowgoanna.com>
  Date: Mon, 21 Jul 2003 16:10:30 +0930

Re: anyone heard of b00ts?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> > Su to root before you run netstat.  The process name may be helpful.
>
> I was root.
>
> Strangely enough, it gave me the usual message about not being root...
> doesn't sound good.

Sounds like netstat has been replaced.

> Doesn't appear to be... unless ifconfig isn't showing it as such...

I'ts probably lying to you.  Grep /var/log/messages for "prom" (case 
insensitive grep).

You can make the assumption that the RPM database is not corrupted.  You could 
try using a clean rpm binary to verify the installed files against their 
checksums in the rpm database.  It's not foolproof, because a seasoned 
cracker could modify the database; but there's so many distros out there, and 
so many versions of rpm (and similar programs) that it would be a difficult 
task to do for any one particular version.

Install chkrootkit and use that to report if there is a rootkit.  Do not trust 
its results fully, as it's difficult to know exactly what is and isn't a 
rootkit.  If it says yes, then rebuild.  If it says no then rebuild anyway.

Adam

- -- 
Adam Hawes
Ph.D Student
School of Engineering
Flinders University

ICQ:    2492016
Email:  adam.hawes@flinders.edu.au
Mobile: 0402 854 965

http://users.esc.net.au/~ahawes/bcc.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/G4reCSL3TthtjkERAu6NAJ4gsLdueKUbkp3JZ88VlYXuOCdl8gCdF5Ow
OcZjCkq2Vx2V+d1Kn6aUAjw=
=FV4X
-----END PGP SIGNATURE-----

-- 
LinuxSA WWW: http://www.linuxsa.org.au/ IRC: #linuxsa on irc.freenode.net
To unsubscribe from the LinuxSA list:
  mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject