Re: rooted ?

From: Pat Parrinello (
Date: 09/11/04

  • Next message: hawk82: "Re: rooted ?"
    To: Jason Rusch <>,
    Date: Sat, 11 Sep 2004 08:45:17 -0500

    On Thursday 09 September 2004 07:21, Jason Rusch wrote:
    > Sorry if this is not the correct forum,

      Boot with a CD rescue disk, mount the suspect / and
     ls -alR /{mount point}/lib

      Compare what you see to the same listing (ls -alR /lib)
      in noramal running and IF you see some nasty goodies,
      congraduations; you are owned.

      No known (by me) scanner, intrusion detector can find it. You have
      to look first hand using a clean (rescue) running system.



    > Curious a day or so after a up2date on a fedora 2 system, I noticed very
    > sluggish behavior. After checking obvious things such as netstat, du,
    > nmaping it from another machine and checking ps commands thoroughly I found
    > nothing abnormal. I then moved onto running a few rootkit scanners, all
    > showed cleaned (for what its worth of course), I used both the tarball and
    > rpm chkrootkit and scanned my machine with both.
    > The strange part is, is that the one ran from source showed everything to
    > be ok, the rpm showed 23-35 hidden processes, possible LKM rootkit
    > installed. now after running the cmd " /usr/lib/chkrootkit-0.43/chkproc -v"
    > I found the processes within the /proc and checked the status/info on all.
    > they were all sleeping process from application I run all the time
    > (evolution, mozilla, nautilus ). I booted the machine in init3 and without
    > X and I didnt have this problem.
    > The machine normally boots in init5, now if I start X then the problem
    > arises, now I dont know if this is the right forum, but I would not think
    > that I am rooted (optimistically said) and this is some weird iissue from
    > an update. 1 more note all the hidden processes were owned and ran under
    > my user account. Any input from anyone would be great. and no I didnt get
    > Tripwire installed or record a MD5sum record ooopps
    > anyway just a day or so ago I read somewhere there may be a latency time
    > diff. between the threads that are running and the chrootkit detection thus
    > causing the discrepancy?

  • Next message: hawk82: "Re: rooted ?"

    Relevant Pages

    • looking for a rescue disk for RH 6.0
      ... I have an old Fujitsu operating on RedHat 6.0, and, even though I have ... with this "new" release you can no longer boot on rescue mode, ... have recorded a rescue disk from you system. ... then I used to enter root password as required, ...
    • RE: STOP page ERRORS continuing and varying
      ... "nass" wrote: ... because the keyboard is not typing. ... Did you tried Safe Mode and make a system restore to before the Rescue Disk, ... It seems this will not work either, as i can not boot up the system or open ...
    • Re: XP CD fails to Boot/XP also fails on Muti-OS System
      ... I got a Windows 2000 cd to hopefully run chkdsk and alias the cd they gave me was scratched to hell and it could not boot correctly either. ... I ended up reformatting the partition and rebuilding the NTFS file system using mkfs.ntfs command in the Linux system rescue disk. ... I then got the idea to copy the partition containing Windows 2000 to the first partition that used to contain WinXP just to see if it will work. ...
    • Re: Linux runlevel 1 doesnt ask for root password
      ... > Boot from a rescue disk and change the password. ... Well, if you can boot from removable media, then a grub password is silly. ... access via Windows. ... If it is in a locked room, ...