From mboxrd@z Thu Jan 1 00:00:00 1970 From: Bruce Ferrell Subject: Re: hacked Date: Wed, 12 Jun 2002 08:20:19 -0700 Sender: linux-admin-owner@vger.kernel.org Message-ID: <3D0766B3.30006@baywinds.org> References: <20020612115141.GA1599@fede2.tumsan.fi> <15623.20073.595822.36388@cerise.nosuchdomain.co.uk> <20020612134023.GA2115@fede2.tumsan.fi> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: List-Id: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: urgrue@tumsan.fi Cc: admin search google for vsl and vetes You find like to a pretty nice kit for locating rootkits and the like. You don't mention what distro your system is. Hate to say it but if it's RPM based, you can use the -V option to verify every stinking file on the system if necessary urgrue wrote: > yes, true. ive already replaced the box with a fresh install, but i am > just curious to know what happened. > > > >>urgrue wrote: >> >> >>>a hacker has planted trojans and messed around with one of my boxes. >>>its off the network, but i want to know what he did. >>>i replaced netstat, ps, lsof (and others) with originals, but nmap >>>shows that ports 1130 and 53228 are open on the box. i can even >>> >>telnet >> >>>to these ports and get what definitely looks like backdoors. >>>but netstat and lsof cant find anything on these ports. >>>and ps of course doesnt show anything unusual. >>>since ive replaced the binary commands with originals, but these >>> >>ports >> >>>are still open, presumably some networking related library has been >>>trojaned? >>> >>Or the kernel itself. >> >>Once a system has been cracked, the only reliable solutions are to >>either revert to a known good backup, or start from scratch[1]. >> >>[1] Literally. Re-installing the OS over an existing filesystem won't >>help if a trojan configuration file has been added; "dot" files in >>root's home directory are a common vector. >> >>-- >>Glynn Clements >> > - > To unsubscribe from this list: send the line "unsubscribe linux-admin" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > >