RE: Have I been kitted?

From: Tim Howes (thowes@ssi-ltd.com)
Date: 06/13/02


From: "Tim Howes" <thowes@ssi-ltd.com>
To: <focus-linux@securityfocus.com>
Date: Thu, 13 Jun 2002 10:00:06 +0100

Terry

I have had this before, you could have a corrupt ps binary so therefore not
able to see the process when doing a ps -aux command, try and get a new ps
binary on that machine then run one and then you're corrupt one, if you then
compare the outputs you will see the hidden process. Other processes to
check for corruption would be du, ls, df, lsof and find.

You should be able to clean the machine if it is critical for a network, but
if you are in a position where formatting and starting again is not a
problem then do that. However you should take steps to work out how you
were compromised and then take steps to secure for the future. Are you
running portsentry or other programs to prevent attack. Have you got old
insecure versions of openssh running etc.

When I saw this on my machine I later found out that I had bobkit installed,
luckily I had a local machine here that once not on the network and so could
just pull off the clean binaries.

http://www.stearns.org/detectlib/bobkit.html for a description of the kit
itself.

Good news is that I have recently received an email saying that the hacking
crew that did this to me as been caught!

Regards

Tim Howes