[PLUG] Think I've been hacked

AthlonRob AthlonRob at axpr.net
Mon Jan 24 23:19:31 UTC 2005 

On Mon, 2005-01-24 at 14:52 -0800, Michael Rasmussen wrote:
> AthlonRob wrote:
> > On Mon, 2005-01-24 at 14:49 -0800, Mel Andres wrote:
> > > So, what should I do next, to ensure I closed this up and cleaned house?
> > 
> > 1) Unplug the computer from the LAN, modem, whatever.
> > 2) Wipe your disk clean and re-install Linux.
> 
> please.  not required.

Perhaps not technically, but if the box actually *has* been rooted, it's
at least required practically.

> Mel, how much do you want to learn about your system?
> Start by searching the PLUG archives, there is at least one thread covering
> how to recover.  Note, I'm the in minority of people who believe that an
> infected system can be cleaned and restored to safe behavior.  

Sure it can.  After you verify virtually everything on the system is
infection free.  You need to verify *every* script, *every*
configuration file, *every* binary.  

Imagine you're a black-hat cracker interested in keeping a rooted box.
How many different ways would you go about protecting yourself?  I'd
trojan every ~/.bashrc, every crontab, every binary I could think of,
every script sourced at boot or log on.  I'd trojan lilo, you know it
can execute something upon startup?  I'd trojan inittab.  I'd trojan
everybody's .forward.  I'd trojan the aliases DB.  I'd figure out how to
add a DSO to Apache that would allow me access.

Hey, a lot of these things may only grant me user access... but if
you've been rooted once, how difficult do you think it's going to be for
an attacker to gain root privs from a mere mortal user?  Not very.

Sure you could check all these things and *not* wipe the box clean and
start over - but why would you want to?

> Also, check google for chkrootkit and bindshell - there are enough instances
> of false positives that this combination receives a special entry in the FAQ.

Indeed, of course you verify you *are* rooted before doing anything to
fix the problem.  You want to be 100% sure, I think....

-- 
Rob                    |  If not safe,
  http://rob.axpr.net  |    one can never be free.

More information about the PLUG mailing list