RE: Rooted? Could anything innocently alter the "i" flag?

To: 'Anthony Campbell' <ac@acampbell.org.uk>
Cc: debian-user@lists.debian.org
Subject: RE: Rooted? Could anything innocently alter the "i" flag?
From: Mark McRitchie <Mark.McRitchie@salamis.co.uk>
Date: Tue, 23 Mar 2004 08:59:32 -0000
Message-id: <[🔎] 293AE16A0620D411835300508B78832F0139EC30@ABZEXHNTK>

> -----Original Message-----
> From: Anthony Campbell [mailto:ac@acampbell.org.uk] 
> Sent: 23 March 2004 08:53
>
> > Download a known good (recent) copy of chkrootkit to the 
> box, run it and see
> > if it gives you anything.
> > 
> > I'd strongly recommend isolating the box from the net until 
> your _sure_ your
> > not rooted.
> > 
> > 
> > 
> > Mark.
> > 
> > 
> 
> Things seem to be getting worse. I originally discovered the problem
> because a routine upgrade of procps failed because it could not make a
> link to /bin/ps. I eventually found that it was due to the "i" flag on
> that file. I removed the flag and it then worked. However, 
> last night I
> found that the flag had returned. I removed it again. 
> 
> Today, I found that upgrading procps failed again, this time 
> because it
> was unable to create /bin/kill. But /bin/kill does not have 
> the "i" flag
> set. So it definitely seems that something strange is happening.
> 
> AC

1. Disconnect the box from the network.
2. No, really, disconnect the box from the network.
3. Get a copy of this: http://www.chkrootkit.org/
4. Build it on a known clean box
5. Copy the binaries to your hacked box 
6. run them and see what they say.
7. Reinstall your hacked box. Don't bother trying to repair it you can
_never_ be sure you got it all.


Mark.







Salamis Group of Companies -  WWW.SALAMISGROUP.COM

This communication contains information which is confidential and may 
also be privileged. It is for the exclusive use of the intended 
recipient(s). If you are not the intended recipient(s) be advised 
that any form of distribution, copying or use of this communication 
or the information it contains is strictly prohibited and may be 
unlawful. We apologise if you have received this communication in 
error. Please return it to the sender immediately, delete this 
communication from your computer and destroy any copies of it. Any 
views/opinions expressed in this email are that of the author and may 
not reflect the views of Salamis (M&I)Ltd.

Reply to:

Prev by Date: Re: Rooted? Could anything innocently alter the "i" flag?
Next by Date: Re: Rooted? Could anything innocently alter the "i" flag?
Previous by thread: Re: Rooted? Could anything innocently alter the "i" flag?
Next by thread: Getting flash to work in firefox
Index(es):
- Date
- Thread