Re: system hacked, need help
From: Stephan Neuhaus (neuhaus_at_cs.uni-sb.de)
Date: 10/23/03
- Next message: Sherman H.: "R command questions"
- Previous message: Scott Wilson: "Re: I need help on formatting a file for my Unix class!!"
- In reply to: Rocke Robertson: "Re: system hacked, need help"
- Next in thread: Alex007: "Re: system hacked, need help"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 23 Oct 2003 13:09:23 +0200
Rocke Robertson wrote:
> download a new version of /bin/ps and see if it shows different output
> from the original /bin/ps.
If there is a rootkit on the machine, then it is well possible that a
hacked *kernel* returns the wrong information, not a hacked *ps binary*
(although it could of course also be a hacked ps binary). So, really,
the only way to make sure is to nuke the site from orbit^W^W^W^W^W
reinstall the operating system from the distribution media. If you can
afford it, save the suspect disks, mount them later on another machine
(read-only, so as not to disturb the atime of inodes) and go hunting for
rootkits.
If you can, mount them on a system with a different architecture. That
way, you can't easily run binaries or load libraries from the suspect disk.
Fun,
Stephan
-- Stephan Neuhaus University of the Saarland, Department of Computer Science Experimental Software Security at the Chair of Software Engineering Web: http://www.st.cs.uni-sb.de/~neuhaus
- Next message: Sherman H.: "R command questions"
- Previous message: Scott Wilson: "Re: I need help on formatting a file for my Unix class!!"
- In reply to: Rocke Robertson: "Re: system hacked, need help"
- Next in thread: Alex007: "Re: system hacked, need help"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
