There's a collection of scripts that checks for various rootkits at: http://www.chkrootkit.org/ It's not foolproof, but it might help, make sure and do FULL portscans against the box after you think it's cleaned up, and run "lsof -i" to see if anything is listening on ports you don't know about. There may be trojans masking as real services listening on ports waiting for a login, etc. It may have been compromised through ssh if it wasn't patched, look in the logs for ssh compensation attacks, though if the attacker did his homework, the logs are probably wiped. Also search for core files (except for /dev/core) sometimes they leave those behind, and you may find an IP address while doing "strings" on it. Also search for ".bash_history" files sometimes when using an exploited login program, it may store the history file in another place, and it may have been missed by the attacker. Also look at the date/times of the files you've found, and then search the entire file system for that date and time, may turn up more hidden directories and files (find /* -ls|grep "Jul 21) for example. There's probably a hidden file logging usernames and passwords somewhere if a sniffer was set up. I've seen a couple times where the guy logged into another server to get more tools, and get caught by his own sniffer, so if you have those files, check for IP addresses and logins that look strange, and also the passwd file for changes, etc. It all depends how good the person was, but most times there's a fingerprint or two hanging around. -- John Pascuzzi At 11:26 PM 7/25/02 +0800, you wrote: >I was trying to fix up a crashed Red Hat linux 7.2 server for a client >today, and >after a bit of fiddling discovered what looks pretty clearly like a >rootkit. It had files stored in /dev/\ \ \ , modified a bunch of >binaries including su, netstat, ls, ps, and ifconfig, and installed some >sort of sshd trojan in a whole bunch of places. Sound familiar to >anyone? (ie, who knows where I can learn more about it?) > >While cleaning up the mess with that, things still weren't working so I >looked farther and discovered ANOTHER bunch of covert directories, >called /dev/.id, /dev/.sh and /dev/.so (IIRC). These were linked to an >entry in the rc.local boot script which powered up something in /dev/.id >(didn't have time to note the details yet, sorry). > >Anyone hear of these? Is this one rootkit or more than one? > >-- >Steve Bougerolle >Creek & Cowley Consulting > >http://www.creek-and-cowley.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jul 25 2002 - 11:29:50 PDT