Security Incidents mailing list archives
Re: Linux box 'infected' with RK15
From: Thomas Roessler <roessler () DOES-NOT-EXIST ORG>
Date: Thu, 22 Mar 2001 22:35:36 +0100
On 2001-03-22 16:46:26 +0000, Sean Kelly wrote:
ToMiller () USAID GOV asked about how the intruder got in. The rootkit install script deleted /var/log/messages, but the machine was running exploitable versions of wu-ftpd, sendmail and NFS (my colleague wasn't very good - perhaps that's why I got the job :). No named was running. I shall look through the other logfiles and see if anything more arises.
If you didn't write too much to your /var/log partition since the file was deleted, you can still try to recover the log files using strings and grep - for instance like this: strings /dev/raw-device-of-var-log | egrep '(Jan|Feb|Mar) ' | sort -u -- Thomas Roessler <roessler () does-not-exist org>
Current thread:
- Linux box 'infected' with RK15 Sean Kelly (Mar 21)
- Re: Linux box 'infected' with RK15 Sean Kelly (Mar 22)
- Re: Linux box 'infected' with RK15 Thomas Roessler (Mar 23)
- Re: Linux box 'infected' with RK15 Jim Roland (Mar 22)
- <Possible follow-ups>
- Re: Linux box 'infected' with RK15 Miller, Toby (Mar 21)
- Re: Linux box 'infected' with RK15 Miller, Toby (Mar 22)
- Re: Linux box 'infected' with RK15 Sean Kelly (Mar 23)
- Re: Linux box 'infected' with RK15 Neal Dias (Mar 23)
- Re: Linux box 'infected' with RK15 Sean Kelly (Mar 22)