Re: redhat audit

[exon <exon () home se>]

man find and look into -mtime.
It's not a very good method, however, since you're probably being duped by
'touch -r <origfile mv'd to preserve timestamp> backdoorfile'
If this is not the case, you're looking at the results of a totally
incompetent intruder who should be shot at sight.

If I were you, I'd replace any and all process monitoring tools, network
monitoring tools, file monitoring tools (find, ls, df, du), any network
servers you have running on your system and any and all daemons that are
running (including init, inetd and so on and so forth). You might also
want to replace the shell you're using.

It's rare, but heard of, that rootkits and backdoor systems include
replacement gcc's, so that newly compiled sources ALL have backdoor code
in them. A much more clever hack is to add simple server capabilities to the
fork() function in libc, which is called by daemons to 'release'
themselves of the current tty (sort of). Do 'netstat -lp --numeric-ports'
to see what's running on your system, but after you've replaced it, mkay?

When you've updated your system I suggest you run
'du -x / | grep "/." > dufile' to find the location of the rootkit
installation. It will probably be in some directory that is present on all
systems, but  most newbies don't look in (like /var/log, or 
/var/spool) which the hacked shell (if any) won't let you cd to.

Needless to say, you need to unplug the ethercable until you're done with
the 'upgrading', and then look into the server software you're running to
make sure it doesn't happen again.

Now you may go paranoid and look over your shoulder. There's probably
someone there.

/Andy

On Mon, 16 Jun 2003, Matthew Sallee wrote:

> recently my redhat box was compromised and i'm auditing changes that were made 
> (i didn't notice for several days).
>
> i've been trying to create a command that will allow me view all the files 
> modified in the last x number of days.
>
> i've tried piping ls to grep with minimal success. any help is greatly 
> appreciated...
>
> matt
>
>
>
> ---------------------------------------------------------------------------
> Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
> The Gartner Group just put Neoteris in the top of its Magic Quadrant,
> while InStat has confirmed Neoteris as the leader in marketshare.
>      
> Find out why, and see how you can get plug-n-play secure remote access in
> about an hour, with no client, server changes, or ongoing maintenance.
>           
> Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
> ----------------------------------------------------------------------------


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------