Re: system hacked, need help

From: Stephan Neuhaus (neuhaus_at_cs.uni-sb.de)
Date: 10/23/03


Date: Thu, 23 Oct 2003 13:09:23 +0200

Rocke Robertson wrote:
> download a new version of /bin/ps and see if it shows different output
> from the original /bin/ps.

If there is a rootkit on the machine, then it is well possible that a
hacked *kernel* returns the wrong information, not a hacked *ps binary*
(although it could of course also be a hacked ps binary). So, really,
the only way to make sure is to nuke the site from orbit^W^W^W^W^W
reinstall the operating system from the distribution media. If you can
afford it, save the suspect disks, mount them later on another machine
(read-only, so as not to disturb the atime of inodes) and go hunting for
rootkits.

If you can, mount them on a system with a different architecture. That
way, you can't easily run binaries or load libraries from the suspect disk.

Fun,

Stephan

-- 
Stephan Neuhaus
University of the Saarland, Department of Computer Science
Experimental Software Security at the Chair of Software Engineering
Web: http://www.st.cs.uni-sb.de/~neuhaus