Security Incidents mailing list archives
Recognizing compromised binaries
From: friedl () MTNDEW COM (Stephen Friedl)
Date: Fri, 18 Feb 2000 20:39:58 -0800
Hello all, As I have recounted, the ADMSUCKS hack this weekend has been quite vivid, but one small point I've not seen before in this forum. The bad guy had compromised most of the obvious system binaries (ls, ps, netstat, etc.) so it was hard to identify even what was wrong. S/he of course replaced the date and time, so "ls -l" listings all showed the files where they were, but the *inode number* of the files were all different. Since most of the system binaries were installed onto a fresh hard drive, the inode numbers are all low and more or less sequential. This made it possible to recognize which files had been compromised: # cd /bin # ls -lti 22590 -rwsr-xr-x 1 root root 19116 Oct 6 1998 umount 1466438 -rwxr-xr-x 1 root root 36970 Oct 2 1998 ps 22560 -rwxr-xr-x 1 root root 262756 Oct 2 1998 tcsh .... 22594 -rwxr-xr-x 1 root root 8008 Sep 2 1998 hostname 1466436 -rwxr-xr-x 1 root root 30968 Sep 2 1998 netstat 22552 -rwxr-xr-x 1 root root 153752 Aug 28 1998 ash.static ... 22542 -rwxr-xr-x 1 root root 12736 Aug 6 1998 ln 1466433 -rwxr-xr-x 1 root root 137415 Aug 6 1998 ls 22544 -rwxr-xr-x 1 root root 8268 Aug 6 1998 mkdir The 146xxx numbers were all hacked, and they were all over the system. This is not a definitive test, of course (the bad guy could probably just "cat hacked.ls > /bin/ls" and keep the same inode number), for me this was a very early clue as to the extent of the damage and kept me from wasting my time trying to piece it back together -- I got a new hard drive and started over. Inode numbers are your friends. Steve --- Stephen J Friedl|Software Consultant|Tustin, CA| +1 714 544-6561 3B2-kind-of-guy |I speak for me only| KA8CMY |steve () unixwiz net
Current thread:
- Recognizing compromised binaries Stephen Friedl (Feb 18)
- Re: Recognizing compromised binaries Dominique Brezinski (Feb 21)
- Re: Recognizing compromised binaries David Brumley (Feb 23)
- <Possible follow-ups>
- Re: Recognizing compromised binaries Dominique Brezinski (Feb 23)
- Re: Recognizing compromised binaries Dominique Brezinski (Feb 21)