Hosting Provided By

Re: LKM Trojan installed

From: Brian Hatch <focus-linux(at)ifokr.org>
Date: Sat Feb 08 2003 - 15:24:34 EST

> ... i created a directory, copied 'ps' et al to it, and used chattr on

Of course, if the cracker has gotten root, they can chattr it right back. In fact, the first thing I'd do as an attacker is to find all chattr'd files on the filesystem since they're probably important.

The only way to be absolutely sure you see the real state of the filesystem is to boot off of pristine read-only media. When you've verified all the binaries and checked for any unusual startup actions (/etc/rc?.d, /etc/inittab, initrd device, etc) which could modify things then you can trust your ps commands -- as long as the attacker doesn't come in and modify things again. (You should work without the network plugged in until you're sure things are sane.)

--
Brian Hatch                  Dijon vu: the same
   Systems and                mustard as before.
   Security Engineer
http://www.ifokr.org/bri/

Every message PGP signed

application/pgp-signature attachment: stored

Received on Tue Feb 11 10:58:57 2003

This message: [ Message body ]
Next message: Dragos Ruiu: "Re: LKM Trojan installed"
Previous message: Shawn M. Jones: "Re: LKM Trojan installed"
In reply to: terry white: "Re: LKM Trojan installed"
Next in thread: Jay Beale: "Re: LKM Trojan installed"
Reply: Jay Beale: "Re: LKM Trojan installed"
Reply: Zow: "Re: LKM Trojan installed"
Reply: Brian Hatch: "Re: LKM Trojan installed"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:19 EDT