Re: Exploit or trojan

From: Felipe Franciosi (ozzybugt_at_terra.com.br)
Date: 12/16/03

  • Next message: Konrad Rieck: "Re: Exploit or trojan"
    Date: Mon, 15 Dec 2003 22:33:51 -0200
    To: <focus-sun@securityfocus.com>
    
    

    Hello,

    I'm not very experienced on forensics of sun servers, however it is
    very likely that your 'ps' has been compromised. I guess that in
    Solaris systems you can just reach for a new copy of 'ps' and use
    the 'clean' one to check everything out.

    Doing so on Linux systems doesn't help much, since recently there
    have been several kernel backdoors (some are loadable modules,
    others just patch /dev/kmem on the fly) which actually hide the
    proccesses from 'ps'.

    Last but not least, do not trust 'ls' and 'md5' checksums also,
    since several of your system utils may have been changed as well.

    Regards,
    Felipe

    -- 
    Felipe Franciosi <ozzybugt@terra.com.br>
    

  • Next message: Konrad Rieck: "Re: Exploit or trojan"