Re: Linux hacked
From: Barrie Dempster (barrie_at_reboot-robot.net)
Date: 10/21/04
- Previous message: Depp, Dennis M.: "RE: breakout of citrix"
- In reply to: Nicholson, Dale: "Linux hacked"
- Next in thread: Conlan Adams: "RE: Linux hacked"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Nicholson, Dale" <DNicholson@APACMail.com> Date: Thu, 21 Oct 2004 11:08:37 +0100
On Wed, 2004-10-20 at 11:52 -0500, Nicholson, Dale wrote:
<snip>
> Can someone help me with where to get a listing of everything I have
> installed and the versions?
`ls /var/db/pkg/*/*/*.ebuild | cut -d/ -f5-6 | less`
will list everything you have installed
> Also, I need something that can detect root kits etc. on linux. I've heard
> knoppix mentioned as having good tools on this list for an example, but I
> wouldn't know what tools to use for this particular case.
chkrootkit - http://www.chkrootkit.org
or
rkhunter - http://freshmeat.net/projects/rkhunter
You will also find chkrootkit on knoppix-STD -
http://www.knoppix-std.org
> This is what I tried so far:
> I logged in using a boot CD, mounted the hard disks, chrooted in, blanked
> out the root password in the /etc/shadow file, changed the root password,
> rebooted and tried to log in normally. This did not work. I also checked
> that the correct users were in both /etc/passwd and /etc/shadow.
Attacker may have modified the login binary, since it's a gentoo box
and the binaries will be self compiled it will be hard to verify this
since I'm under the impression you haven't been performing integrity
checks. I suggest you don't put this install back into production, as since
you are a self confessed novice you will have a hard time cleaning it
out.
Find all the key configuration files and back them up (or use a recent
backup), before a reinstall of the system, then replace everything as
needed. Be sure to verify that the configuration files you restore to
the new install don't have any dodgy modifications, if in doubt re-build
the config from the default config files.
No offence intended but if your admin can't talk you through getting
access to the box again, than maybe you should seek advice from
elsewhere on the running of your machine. Since you have little security
experience yourself getting someone that knows security would be a good
help. Also updating a machine once a week doesn't equate to good
security, if he isn't log monitoring and performing integrity checks,
then you won't know if you are being attacked or not.
Good Luck. :-)
-- Barrie Dempster (zeedo) - Fortiter et Strenue http://www.bsrf.org.uk [ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]
- application/pgp-signature attachment: This is a digitally signed message part
- Previous message: Depp, Dennis M.: "RE: breakout of citrix"
- In reply to: Nicholson, Dale: "Linux hacked"
- Next in thread: Conlan Adams: "RE: Linux hacked"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
