RE: hidden processes

Hi-

Is chkrootkit the reason you believe you box was hacked? If so, please check the chrootkit site at http://www.chkrootkit.org They have a mailing list I don't have access to right now but there was a bit of conversation about false positives.

Kevin Johnson

-----Original Message-----
From: Erik Vincent [mailto:evincent@ndexsystems.com] Sent: Thursday, July 31, 2003 10:16 AM
To: Vlady
Cc: security-basics@securityfocus.com
Subject: Re: hidden processes

You can try to use the lsof command and check between your ps output. You cant also check in your /proc filesystem.

If you have another server with the same OS version, you can try to do an md5sum on your ps and netstat command. This will show you if those command have been modify by the hacker.....

A nice thing to do on your unix box, is to have some command burn on CDROM. Command like md5sum, ps, grep, ls, netstat, lsof etc....

If your system get hacker and binnaries are replace, you can use command burn on your CDROM and your are sure to use non modify version of it. Or use a ready only filesystem.....

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This is my 0.02$ CDN cents...

On Wed, 2003-07-30 at 17:28, Vlady wrote:
> Hi,
> One of my mashines is hacked and chkrootkit-0.40 tells me that I have 3
clean.
> Using "netstat" I can see that there is not a lisenning servise other than
the
> services suppused to work on the machine.
first I
> would like to understand more of what have happend.

Blue Cross Blue Shield of Florida, Inc., and its subsidiary and affiliate companies are not responsible for errors or omissions in this e-mail message. Any personal comments made in this e-mail do not reflect the views of Blue Cross Blue Shield of Florida, Inc. The information contained in this document may be confidential and intended solely for the use of the individual or entity to whom it is addressed. This document may contain material that is privileged or protected from disclosure under applicable law. If you are not the intended recipient or the individual responsible for delivering to the intended recipient, please (1) be advised that any use, dissemination, forwarding, or copying of this document IS STRICTLY PROHIBITED; and (2) notify sender immediately by telephone and destroy the document. THANK YOU.