Security Basics mailing list archives

Re: process identification

From: Stijn De Weirdt <stdweird () carl ugent be>
Date: Tue, 4 May 2004 17:41:06 +0200 (CEST)

hi all, 

thanks for the many suggestions. it turned out that it was a rootkit 
(found it with the chkrootkit, but the other one didn't saw it, thanks go 
to niek for the links). the chkrootkit reported an infected /sbin/init and 
the chkproc gave 2 hidden processes. the computer has been taken offline, 
i've been changing a lot of passwds (found a nasty .sniffer-file), and 
will do reinstall asap (this time with a minimum of installed servers and 
a working config of iptables ;).
 
i still have some questions though: why would one suspect an infected 
netstat when it actually showed that the port was occupied? the lsof i 
later used was freshly compiled, netstat was still the same.
and what can be done against rootkits? (apart from good firewall).
is a combination of chkrootkit and cron effective (and what about 
updates?). when using the detector from rootkit.nl, i saw they asked about 
about md5sum-checked files. i assume you can do some sort of combination 
of slocate and md5sum, and then check against that database every night. 
how effective would this be?

again thanks for the suggestions

stijn

Stijn,

Your machines is probably compromised by script kiddies, who have installed a rootkit.
Todays rootkits can mask pids, processes, iptables settings ect.

There is much info to be found what to do when you realize you've been compromised.
I'm not going to elaborate on that here.
Tools like www.chkrootkit.org and www.rootkit.nl can help you identify the malware used.

Kind regards,

Niek


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

Current thread:

process identification Stijn De Weirdt (May 03)
- Re: process identification Ivan Andres Hernandez Puga (May 04)
  - Re: process identification Stijn De Weirdt (May 04)
    - Re: process identification Javier Sanchez (May 04)
    - Re: process identification Ivan Andres Hernandez Puga (May 04)
- Re: process identification Tarun Dua (May 04)
  - RE: process identification skill2die4 (May 04)
    - RE: process identification Tarun Dua (May 06)
- Re: process identification Nik Schild (May 04)
- Re: process identification Niek (May 04)
  - Re: process identification Stijn De Weirdt (May 04)
- <Possible follow-ups>
- Re: process identification Ivan Coric (May 04)
- Re: process identification Andrew Pretzl (May 06)
- RE: process identification Amin Tora (May 07)