Re: RootKits QuestionFrom: Devdas Bhagat (firstname.lastname@example.org)
- Previous message: Mark Ng: "RE: Question"
- In reply to: Nick Lange: "RootKits Question"
- Next in thread: Martin Ostlund: "Re: RootKits Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Devdas Bhagat <email@example.com> To: "Nick Lange" <firstname.lastname@example.org>, <email@example.com> Subject: Re: RootKits Question Date: Wed, 1 Aug 2001 22:33:12 +0530 Message-Id: <firstname.lastname@example.org>
On Wed, 01 Aug 2001, Nick Lange spewed into the ether:
> Does anyone know of any rootkits off the top of their head that leave a
> /sbin/a.out behind?
I think the incidents list might be a better place for this.
I don't know of any such kit.
> I'm fairly certain I got rooted two days ago (didn't look at yesterdays
> security report like an idiot...)
> the md5 / file checks show a new file, /sbin/a.out with MD5
> 0x4b689a480ff3ff85862e94d05125ac26 : /sbin/a.out
strings on a.out? Command history, if any is left?
> The machine was a redhat install but patched up from all relevant security
> advisories (or so I thought, the only one I can see is maybe xinetd)...
netstat, lsof, fuser?
> I left sshd, apache + php 4.0.6,datapipe.c (see www.rootshell.com / search),
> mysql*[I meant to firewall that off but never got around to it] listening on
> the external interface, and I *had* no local users so it has to be something
Anyother admin compiling something in /sbin? You doing something like
> anyone seen anything? a quick search for /sbin/a.out reveals nothing
> it may have been datapipe.c but I doubt that as well, as it's simply a port
> forwarder [for auth port]
Move to a throwaway machine and strace it. strings a.out might help,
and maybe gdb a.out.
See if you can see any more new files, particularly *.[cC]*