[PLUG] Re: Got hacked last night - HELP!
John Meissen
john at meissen.org
Tue Oct 5 18:53:02 UTC 2004
Bill Thoen wrote:
> > run rpm -Va and figure out anything that fails the comparison
>
> S.5....T /bin/netstat
> S.5....T /sbin/ifconfig
> S.5....T /usr/bin/find
> S.5....T /usr/bin/killall
> S.5....T /usr/bin/pstree
> S.5....T /bin/ls
> S.5....T /usr/bin/dir
> S.5....T /usr/bin/du
> S.5....T /usr/bin/vdir
> S.5....T /sbin/syslogd
> S.5....T /usr/sbin/tcpd
> S.5....T /bin/ps
> S.5....T /usr/bin/top
>
Looks familiar. I would expect you could find a few new directories on
the system that you wouldn't see using the compromised tools. In my
case they had one masquerading as a header file in /usr/src/linux/include.
There were others, too.
When they cracked my system a while back they got in through an unpatched
web server on an orphaned release of Mandrake. I had decided that trying
to rebuild Apache from source was probably as much work as upgrading to
a current release, and they hit me before the upgrade percolated to the
top of my To-Do list.
I'll probably be a bit more inclined now to go through the hassles of moving
to the latest release when the one I'm using approaches end-of-life.
I can't really fault Mandrake. When you're giving away most of your product
for free it's difficult to support the resources needed to maintain a lot
of legacy versions.
john-
More information about the PLUG
mailing list