Security Basics mailing list archives
Re: Linux hacked
From: Barrie Dempster <barrie () reboot-robot net>
Date: Thu, 21 Oct 2004 11:08:37 +0100
On Wed, 2004-10-20 at 11:52 -0500, Nicholson, Dale wrote: <snip>
Can someone help me with where to get a listing of everything I have installed and the versions?
`ls /var/db/pkg/*/*/*.ebuild | cut -d/ -f5-6 | less` will list everything you have installed
Also, I need something that can detect root kits etc. on linux. I've heard knoppix mentioned as having good tools on this list for an example, but I wouldn't know what tools to use for this particular case.
chkrootkit - http://www.chkrootkit.org or rkhunter - http://freshmeat.net/projects/rkhunter You will also find chkrootkit on knoppix-STD - http://www.knoppix-std.org
This is what I tried so far: I logged in using a boot CD, mounted the hard disks, chrooted in, blanked out the root password in the /etc/shadow file, changed the root password, rebooted and tried to log in normally. This did not work. I also checked that the correct users were in both /etc/passwd and /etc/shadow.
Attacker may have modified the login binary, since it's a gentoo box and the binaries will be self compiled it will be hard to verify this since I'm under the impression you haven't been performing integrity checks. I suggest you don't put this install back into production, as since you are a self confessed novice you will have a hard time cleaning it out. Find all the key configuration files and back them up (or use a recent backup), before a reinstall of the system, then replace everything as needed. Be sure to verify that the configuration files you restore to the new install don't have any dodgy modifications, if in doubt re-build the config from the default config files. No offence intended but if your admin can't talk you through getting access to the box again, than maybe you should seek advice from elsewhere on the running of your machine. Since you have little security experience yourself getting someone that knows security would be a good help. Also updating a machine once a week doesn't equate to good security, if he isn't log monitoring and performing integrity checks, then you won't know if you are being attacked or not. Good Luck. :-) -- Barrie Dempster (zeedo) - Fortiter et Strenue http://www.bsrf.org.uk [ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Linux hacked Nicholson, Dale (Oct 20)
- Re: Linux hacked Casper the Friendly Ghost (Oct 21)
- Re: Linux hacked Jonathan Loh (Oct 21)
- Message not available
- Re: Linux hacked xyberpix (Oct 21)
- RE: Linux hacked Randori (Oct 21)
- Re: Linux hacked xyberpix (Oct 21)
- Re: Linux hacked Barrie Dempster (Oct 21)
- Re: Linux hacked Miles Stevenson (Oct 21)
- Re: Linux hacked xyberpix (Oct 25)
- <Possible follow-ups>
- RE: Linux hacked Conlan Adams (Oct 21)
- RE: Linux hacked mike (Oct 21)
- RE: Linux hacked Matt Arntsen (Oct 21)
- RE: Linux hacked Jonathan Loh (Oct 22)
- RE: Linux hacked xyberpix (Oct 25)
- RE: Linux hacked Nicholson, Dale (Oct 25)
- RE: Linux hacked Leif Ericksen (Oct 25)
- RE: Linux hacked Randori (Oct 25)