Re: RootKits Question

From: Martin Ostlund (mo@ares.sot.com)
Date: 08/01/01


Date: Wed, 1 Aug 2001 20:16:30 +0300 (EEST)
From: Martin Ostlund <mo@ares.sot.com>
To: Nick Lange <nlange@usb.com>
Subject: Re: RootKits Question
Message-ID: <Pine.LNX.4.10.10108012015440.9797-100000@ares.sot.com>

On Wed, 1 Aug 2001, Nick Lange wrote:
> The machine was a redhat install but patched up from all relevant security
> advisories (or so I thought, the only one I can see is maybe xinetd)...

 Hi. One can never be secured enough:)
> anyone seen anything? a quick search for /sbin/a.out reveals nothing
> it may have been datapipe.c but I doubt that as well, as it's simply a port
> forwarder [for auth port]
> nick
 Have you tried strings /sbin/a.out ? strings will print out
all readable text from a binary, also check which date and time it was
created, and if something shows up in messages/syslog around that
date and time. Try to check for backdoors, netstat -atn | grep LIST

-martin