Commonly Trojaned Linux services

From: CJ (hah@notonyerlife.com)
Date: 03/14/02

  • Next message: Kasper Dupont: "Re: Encrypted file system without initial password:"

    From: "CJ" <hah@notonyerlife.com>
    Date: Thu, 14 Mar 2002 13:21:43 GMT
    
    

    Hi,

    I'm writing a "watchdog" script to keep an eye on a remote server.
    I won't go into the ins and outs of how it works but what I'd like to know is
    what are commonly altered/trojaned services on a linux box ? (RH7.2 on an i686
    for me)

    So far I've got

    sshd
    httpd
    named
    sendmail
    and i've stuck in iptables for good measure.

    Anything else that anyone is aware of, that in the normal course of things WOULD
    NOT CHANGE!

    I.E, I'm keeping an eye on /etc/passwd, but that will change occassionally
    anyway as users are removed/added. I need to know of binaries that don't alter.

    Yes ... it is somewhat similar to tripwire, but a little more viscious ;)

    TIA

    CJ

    ----------------------------------------------------------------------------
    Year 2000 never bothered me.
    It's year 65536 that I'm worried about
    ----------------------------------------------------------------------------
    H4x0R : I'm way cooler than you! I got 40 scrypts that can kill yer machine
    sysop : Heh! Yeah right!
    w33n3r: Yeah. I can nail you from here man ... gimme your ip and you're toast!
    l4m3rz: Yeah .. we rock .. we're gonna fry your machine
    sysop : Ok, I dare ya ... My ip is 127.0.0.1
    H4x0R : ##Disconnected##
    w33n3r: ##Disconnected##
    l4m3rz: ##Disconnected##



    Relevant Pages

    • Re: File Transfer thru stdin/out
      ... > work over phone (all other things like ssh-login and scp work ... I got 40 scrypts that can kill yer machine ... w33n3r: Yeah. ... sysop: ...
      (comp.security.ssh)
    • Re: Website authentication??
      ... > I want to setup a section of my website that will require authentication ... I got 40 scrypts that can kill yer machine ... w33n3r: Yeah. ... sysop: ...
      (comp.os.linux.security)
    • Re: Unassigned ports
      ... if any services running on unassigned ports. ... I got 40 scrypts that can kill yer machine ... w33n3r: Yeah. ... sysop: ...
      (comp.os.linux.security)
    • Re: Unassigned ports
      ... > then it shows you which ports are open to the world. ... I got 40 scrypts that can kill yer machine ... w33n3r: Yeah. ... sysop: ...
      (comp.os.linux.security)
    • Re: Website
      ... How are you going to look them in the eye? ... Hell, yeah. ... I'll fish with Fortenberry any day he wants. ... Yeah, I understand how you get curious around those German train ...
      (rec.outdoors.fishing.fly)