From: Bruce Ferrell <bferrell@baywinds.org>
To: urgrue@tumsan.fi
Cc: admin <linux-admin@vger.kernel.org>
Subject: Re: hacked
Date: Wed, 12 Jun 2002 08:20:19 -0700 [thread overview]
Message-ID: <3D0766B3.30006@baywinds.org> (raw)
In-Reply-To: 20020612134023.GA2115@fede2.tumsan.fi
search google for vsl and vetes
You find like to a pretty nice kit for locating rootkits and the like.
You don't mention what distro your system is. Hate to say it but if
it's RPM based, you can use the -V option to verify every stinking file
on the system if necessary
urgrue wrote:
> yes, true. ive already replaced the box with a fresh install, but i am
> just curious to know what happened.
>
>
>
>>urgrue wrote:
>>
>>
>>>a hacker has planted trojans and messed around with one of my boxes.
>>>its off the network, but i want to know what he did.
>>>i replaced netstat, ps, lsof (and others) with originals, but nmap
>>>shows that ports 1130 and 53228 are open on the box. i can even
>>>
>>telnet
>>
>>>to these ports and get what definitely looks like backdoors.
>>>but netstat and lsof cant find anything on these ports.
>>>and ps of course doesnt show anything unusual.
>>>since ive replaced the binary commands with originals, but these
>>>
>>ports
>>
>>>are still open, presumably some networking related library has been
>>>trojaned?
>>>
>>Or the kernel itself.
>>
>>Once a system has been cracked, the only reliable solutions are to
>>either revert to a known good backup, or start from scratch[1].
>>
>>[1] Literally. Re-installing the OS over an existing filesystem won't
>>help if a trojan configuration file has been added; "dot" files in
>>root's home directory are a common vector.
>>
>>--
>>Glynn Clements <glynn.clements@virgin.net>
>>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
next prev parent reply other threads:[~2002-06-12 15:20 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-06-12 11:51 hacked urgrue
2002-06-12 13:36 ` hacked Glynn Clements
2002-06-12 13:40 ` hacked urgrue
2002-06-12 15:20 ` Bruce Ferrell [this message]
2002-06-12 16:41 ` hacked Glynn Clements
2002-06-12 20:28 ` hacked fred orispaa
2002-06-13 2:09 ` hacked Bruce Ferrell
2002-06-13 2:19 ` hacked Gary E. Miller
2002-06-13 11:46 ` hacked Glynn Clements
2002-06-13 19:06 ` hacked Gary E. Miller
2002-06-17 21:26 ` hacked Ionut Murgoci
-- strict thread matches above, loose matches on Subject: below --
2021-08-31 6:38 Hacked Amanda Jenkins
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3D0766B3.30006@baywinds.org \
--to=bferrell@baywinds.org \
--cc=linux-admin@vger.kernel.org \
--cc=urgrue@tumsan.fi \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.