Re: system hacked, need help

From: Stephan Neuhaus (neuhaus_at_cs.uni-sb.de)
Date: 10/23/03


Date: Thu, 23 Oct 2003 13:09:23 +0200

Rocke Robertson wrote:
> download a new version of /bin/ps and see if it shows different output
> from the original /bin/ps.

If there is a rootkit on the machine, then it is well possible that a
hacked *kernel* returns the wrong information, not a hacked *ps binary*
(although it could of course also be a hacked ps binary). So, really,
the only way to make sure is to nuke the site from orbit^W^W^W^W^W
reinstall the operating system from the distribution media. If you can
afford it, save the suspect disks, mount them later on another machine
(read-only, so as not to disturb the atime of inodes) and go hunting for
rootkits.

If you can, mount them on a system with a different architecture. That
way, you can't easily run binaries or load libraries from the suspect disk.

Fun,

Stephan

-- 
Stephan Neuhaus
University of the Saarland, Department of Computer Science
Experimental Software Security at the Chair of Software Engineering
Web: http://www.st.cs.uni-sb.de/~neuhaus


Relevant Pages

  • Re: system hacked, need help
    ... If there is a rootkit on the machine, then it is well possible that a ... mount them on a system with a different architecture. ... Stephan Neuhaus ... Experimental Software Security at the Chair of Software Engineering ...
    (comp.unix.solaris)
  • Re: mounting /bin /sbin read only
    ... but most root kits replace 'ls' and 'ps' for example. ... |do this in an attempt to "hide" the rootkit from the admin's eyes. ... the intruder, once in, to mount your FS rw to replace the binary and ... then mount it ro again? ...
    (alt.os.linux.suse)