RE: Rooted? Could anything innocently alter the "i" flag?
> -----Original Message-----
> From: Anthony Campbell [mailto:ac@acampbell.org.uk]
> Sent: 23 March 2004 08:53
>
> > Download a known good (recent) copy of chkrootkit to the
> box, run it and see
> > if it gives you anything.
> >
> > I'd strongly recommend isolating the box from the net until
> your _sure_ your
> > not rooted.
> >
> >
> >
> > Mark.
> >
> >
>
> Things seem to be getting worse. I originally discovered the problem
> because a routine upgrade of procps failed because it could not make a
> link to /bin/ps. I eventually found that it was due to the "i" flag on
> that file. I removed the flag and it then worked. However,
> last night I
> found that the flag had returned. I removed it again.
>
> Today, I found that upgrading procps failed again, this time
> because it
> was unable to create /bin/kill. But /bin/kill does not have
> the "i" flag
> set. So it definitely seems that something strange is happening.
>
> AC
1. Disconnect the box from the network.
2. No, really, disconnect the box from the network.
3. Get a copy of this: http://www.chkrootkit.org/
4. Build it on a known clean box
5. Copy the binaries to your hacked box
6. run them and see what they say.
7. Reinstall your hacked box. Don't bother trying to repair it you can
_never_ be sure you got it all.
Mark.
Salamis Group of Companies - WWW.SALAMISGROUP.COM
This communication contains information which is confidential and may
also be privileged. It is for the exclusive use of the intended
recipient(s). If you are not the intended recipient(s) be advised
that any form of distribution, copying or use of this communication
or the information it contains is strictly prohibited and may be
unlawful. We apologise if you have received this communication in
error. Please return it to the sender immediately, delete this
communication from your computer and destroy any copies of it. Any
views/opinions expressed in this email are that of the author and may
not reflect the views of Salamis (M&I)Ltd.
Reply to: