[21640] in North American Network Operators' Group
Re: Exodus: this is bad
daemon@ATHENA.MIT.EDU (Greg Retkowski)
Tue Nov 17 16:23:56 1998
Date: Tue, 17 Nov 1998 12:47:06 -0800 (PST)
From: Greg Retkowski <greg@rage.net>
To: "Alex P. Rudnev" <alex@Relcom.EU.net>
cc: Michael Freeman <mikef@boris.talentsoft.com>,
"William S. Duncanson" <caesar@starkreality.com>,
Adam Rothschild <asr@millburn.net>,
"Edward S. Marshall" <emarshal@logic.net>,
Richard Irving <rirving@onecall.net>, nanog@merit.edu
In-Reply-To: <Pine.SUN.3.91.981117221638.10807F-100000@virgin.relcom.eu.net>
On Tue, 17 Nov 1998, Alex P. Rudnev wrote:
> And one more thing. I am not Linux specialist, but I see a resious
> problem because this compromised servers are usially troyaned by the
> 'Linux Root Kit' hidding all hacker's activity. If anyone have some tools
> to detect this rootkit (it include more than 200 files changed in the
> system), point it, please - all my attempts to contact RedHat and other
> Linux developers caused nothing.
Systems using RPM-based package management (Redhat and most other
distributions) can use the verify function to check their system's files
vs. what was installed. The command to check the entire system is 'rpm -V
-a'. The output looks something like:
S.5....T c /etc/exports
S.5....T c /etc/hosts.allow
S.5....T c /etc/motd
Periods (.) mean the test passed, otherwise you'll get a fail flag..
5: MD5 checksum
S: file size
L: symlink
T: mtime
D: device
U: user
G: group
M: file modes
A 'c' between the flags and the filename indicates that this is a
configuration file (and as such commonly modified). More information
should be in the rpm manpage. Hope this info helps.
-- Greg
<a href="mailto:greg@rage.net">|\/\/| Greg Retkowski |\/\/|</a><br>
<a href="http://www.rage.net/">|/\/\|"Save the Factories"|/\/\|</a><br>
